Security, Stuck in the Middle of Tech & Exec

yeah and thanks for everybody for staying for the last track pretty cool so um quick quick kind of guest participation before we get started so this this talk is a lot about you know going from tech to exec from IT to more of an executive level and conversations between the two and count a little history lesson with me and my experiences that hopefully will learn from and not do the same things twice that I did if I did him wrong so quick show of hands who's on the exact side whether it's a present level CEO level sea level anything like that any execs none okay how about a middle management whether it's manager ten years of

experience you know she's been doing this for quite a while couple okay what about more of the entry level just getting started a few more anybody hadn't have no experience whatsoever and the rest just don't raise your hands like me so that's cool all right I get so this a little bit about me um please point out here you know if you look way down there telling stories um I'm I've been a teacher for 15 years so you know full-time job and I ki have had a full-time job insecurity I went up and down the organization lauer ladder we'll talk about that in a minute but really I like sharing stories and again like making people aware of what's going on

so here's kind of what we're going to walk through again these experiences are specifically to me they may be not normal to everybody else but like I said I've had a lot of interactions with executives and with very non-technical people so I've taught lots and lots of computer classes had one particular example a guy came in and got done off out of a three hour class and at the end it was a computer class he said okay I've got this thing here how do i turn it on so I've had a lot of experience communicating with people that have just no idea to the people that are the executive level where they need certain things so we'll talk about some of that

journey some of those experiences some keys to successful communications we'll talk about some few magic words or some buzz words and then we'll talk about how to create that bridge how to go from an IT to an exact level or from an exact down to an IT level and then we'll have some recommendations in a summary okay so in the beginning way back in the day this is where i started my IT career I worked for a city government there's only about 350 users so you know relatively small organization in my mind I did anything from desktop support network administration help desk you know I just basically the IT guy for the organization here's what that turn into

we have fields people on the team but this would be a typical conversation somebody has something wrong with the internet they specifically said they'd call in or walk in person say hey question is why is the internet down and our tech guys this would be an actual response would be oh well we thought it will offer network connection from the ISP but actually when the servers just scratched and the response from the person asking questions was kind of like what what'd you just say I don't I don't get that so another example anybody see when these before user my computer just stopped working and now it's blue what the heck is going on here our IT guy oh

you have a bsod try restarting it that doesn't work well just image it and rebuild it again the user was like cool I don't get it what what exactly is BS what I don't understand so things that came out of that particular you know years of experience was keeping it simple um a good example of this and this was many many years ago to set up those user profiles it was back in the windows 98 days and NT we had to actually set up the profile so we had people's passwords we logged into them so basically they would go home at one night it would look one way brand new machine brand new build brand new

profile they come in the next day and it was exactly the same because we had built it logged in as them made sure everything work to make sure I counter everything we need to make it so simple that it was repetitive and easy and that's going to be a theme through this is keeping that simple um the other thing found out really quickly is that you guys I'm sure everybody knows not every quote unquote user is created equal they all have different needs they all different municate different questions so you know that was a that was the theme and that continued to be a theme throughout my career for sure the other key here that

that I learned from that to experience was listen and understand what that user problem was but then also reiterate back to them in their terms but also using some technical specifics meaning you know if they have a problem instead of saying it's a bsod explain maybe what that actually is and more their layman's terms and then use when analogies you know I've got some examples of knowledge is in here so the more stories you can tell the more analogies people get it so we fast forward I noticed that I think Nick had some you know monkey in his slide so I'll get a couple monkeys in my fly but I went into I tiata I was an

internal auditor got a fancy little badge and this is what came out about I would go and I would work with the IT technical people whether it be sir Edmunds network admins fire Weidman's database magicians where they were and I'd have these type of questions you know specific access questions you see some specifics in there around you know are there satisfactory procedures for reissuing passwords to users who have forgotten there's what's satisfactory real mean and procedures what's the documentation soon as an auditor i would expect people to give me information give me your responses tell me verbally which is cool most people pass that audit test of i'm going to explain how it's done what see that supporting

evidence of this is how it's documented making sure it's the same so things started start clicking in the IT audit world for me and I started realizing that just getting a response as a yes no getting just a little bit of information of oh yeah we do that here's how we do it or if they really went into a real technical speak around how they did it I would have to understand that and figure out well how does that actually fit in the bigger picture what does that actually mean what you just said give me some more evidence so you say you change this port on the firewall okay that's cool on that school your documentation says

that but actually show me how you changed it give me that true picture of what it is because I needed to understand from an audit perspective why it was like that why do you have certain controls while you not have certain controls why is this control better than that control so that was kind of just a very eye-opening experience of getting that evidence and getting that additional set of information again is it built the awareness around getting more information the other kind of flip side of this that i found that was challenging that there was a lot of history that the previous people in our department we go in do an audit and they would leave and they would go back the

next time do the audit again and those people won't give any information because what was happening was the IG otters would reported up the organization all of a sudden there was a finding that that group wasn't doing what they're supposed to and now those people I'd well I gotta tell you anything because you just you just you know tore me apart last time so keeping that trust with the individual from an IT auditor perspective I utilize my technical background a lot in that particular position I remember one specific example that I had to audit a firewall and this guy that ran the firewall had a very strong history of just going through auditors left and

right because they would ask questions and they would either take his word for it or they'd ask really silly questions that you know they shouldn't been asking or they would go down a technical track and you won't be understand so what I did to prepare for this guy that firewall I man was i read up i read the entire book on whatever that firewall was looked up controls on it looked what other people are did and really understood what that far was all about so when I went in to talk to him he was like how great newbie I'm going to burn through this guy too we got into some pretty deep technical conversations and

at the point where it got the end of it is a hey you know this was actually the best audit he revealed information that I didn't even ask for because he trusted that I had the IC experience and then when I talked to him about ok well here's what I'm thinking the findings are does that really fit I had that trust with him he's like yeah that's totally legit I'll fix that tomorrow or I'll fix that in the next week or I can't do it because of this but you know we had that lationship because I understood what he was saying he was then relating it back to me once I had the full picture then i

can raise really up the chain of command and have the appropriate audit finding as opposed to just you know you didn't do the password policy or either do this documentation so again just reiterating getting the whole full story and asking for more details asking the why is really really important so that was kind of looking at from an IC our prospective down to the person i was at the technical guy then on the flip side arranged issues because i would take these executive reports and report up to sea level people of what the findings were and you can't just tell a CEO hey we've got a port open on this firewall and it's bad they don't get that at all

what you had to do or what I was successful with was putting it all in terms of risk lots of conversations with management need to come back to risk because management executive management understand risk they understand financial risk they understand insurance risk they get risk they get business risk and so putting security in that world of risk was really important so I would define what is the likelihood well when is this going to actually happen and not say the likelihoods red or the likelihood is a three the likelihood is the translation of that this will happen within the next six months based on industry standards based on evidence based on whatever that is this will

happen within the next year or you know what this really probably will happen to move you know any time the next ten years I probably wouldn't worry about that so that's kind of the likelihood of it and then the impact piece of this so okay we know what's going to happen in six months what's that really me is that going to shut business out entirely is that some one person going to be upset is that you know what is the true impact of this risk and so lots of conversations I have with management would all come back to this table management love colors so it's easy for them to look at the color and say oh Red

bad green good ok but then explain to them what that red and green actually means from likelihood an impact next question that management would always talk or at okay if it's red how much is actually gonna cost to go to that orangish color or go down to a yellow or you know well we really want to go to a green on this that's the very first question they would ask beyond anything other details and then beyond that they want to know well okay if it's going to have some two million dollars to go from red to a yellow how many people are going to be involved how much time is it going to take what L is that going to include is

it really worth it so coming out of that again another monkey coming in got me thinking quite a bit more you know after that I chaotic job there was a lot of communication challenges in that that really set me in the middle of reporting up the executive level and also reporting down from a technical level and being able translate between the two so you know it posed a lot of questions of how do I do this effectively one of the big gaps there was terminology differences even from the technical side it's for sure from the executive site when you talked about a system or a box or a hardware or a hard drive or a

computer you know the executive is just like that thing over there I don't know what it is I don't know what it does i just know that that's kind of bad so the terminology was just huge differences sometimes that took a little bit of Education that no mr. executive that's a router not a firewall or that's a switch not a hub or whatever that might then the other thing that was a challenge was and all comes this little later is going to right amount of detail for that executive I learn the hard lessons early on that have this really long report and all its great information and gave the specifics the executive would lose attention really quickly because they

would get lost in all the details they would also get frustrated because they're like what really is the problem I need like one box or I need one page that really says all that 30 pages in why I need it to be brief I need to I've got five minutes earners and what the heck you're trying to say and then I get a move on so there's a lot of frustration both on their part because they understand what I was setting and from my part because I wasn't communicating it correctly so that kind of led into the start up some new magic we'll talk about magic words in a minute but you know on the left hand side here

we have on my left you have the IT more traditional terms right hand you have more kind of traditional executive terms and you can see there's not a whole lot of overlap between the two so trying to find what those specific ones are is challenging so we'll come back to that in a few minutes here so I left an icy audit job went in to get kind of a true security manager job when I got into security a lot of the same things came back from audit we talked a lot about risk we talked about governance we talked about compliance there were specific standards that you had to understand so it was a lot more you had

to do this and you have you couldn't do this I was responsible for security training so again going back to making sure what that message is is consumable I mean how many people have gone to her security training and at the end the people like what did I just watch I don't I didn't get any of that how do you people actually retain it and not just for a test right after the training but six months down the road you ask them hey what's a threat most time they're not going to get it so that's cute training piece was was a piece of that on a huge piece of this job is as my as a security manager was getting

rfps getting requests for proposals in and the full proposal was sometimes 300 pages long the specific section on security was only about 33 pages long but there is traditionally anywhere from minimum of 15 to 20 up to like 200 questions about security and it's not just an opening question of hey do you have a firewall it's okay what ports do you allow on the firewall and what audit you know criteria do you use and what standards do you follow and where's your evidence and you know answering these our peer responses was a huge huge challenge in this particular role so understanding what the needs were and then being able to answer it correctly again go back to that translation so

part of that and and part of coming on to that was communicating the IT team Ed and Beyond IT and also including a superior challenge terminology so I T terminology is one thing security terminology is even yet another one and so having to add that layer of complexity to translate what a security threat would be what a vulnerability was again what risk is to both people inside the organization of the organization down the organization and the customers again start adding more complexity into it those external resources audit again working with audit quite a bit more telling the story in terms of they could that they could understand the thing that was challenging with this particular

position was I went from an audit position where basically as an auditor I could tell people hey you need to have a password policy that says it has to be 25 characters and them as the oddity didn't really get much choice in it well they like it or not a lot of times they're like oh fine okay they're doing this one was a little bit different in that it was sometimes a checkbox for compliance because we had to do it versus we really need to do the right thing and the right thing sometimes was a lot more effort a lot more time lot more money so that was a chance to explain why we need to do it one way

versus another this was a interesting little hiatus ahead I went off for a year and a half and got out of the security world out of the outlawed it world which I knew and was very smooth and very good at to go and being an HR executive at a row a pretty large company you might say well how did that transition happen well I think some of it was in fact that a new technology I knew the executives they knew that I could explain to him what exactly was going on and there was a huge huge problem with the HR technology that was out there my role in this job was to go out and find every piece of HR

technology and organization and again this was a very large company there was like three thousand HR related technologies out there ranging from we've tracks on a spreadsheet to we've got a very complex system this little chart on the on the right-hand side kind of shows just some of the system that company probably had just about every single one of these and so my role was to do a few things the first one was figure out what all those systems work and then once I figure out what those systems were what they actually did and then I'd have to summarize that to be able to say we've got 13 recruiting systems here's what they all do here's how much they cost

here's our Lee here's the ROI which will come back to the river return on investment so we're paying a million dollars to buy them or use them but we're only getting two hundred two hundred thousand dollars worth of actually return on it based on you know metrics then I'd have to figure out those 13 recruiting systems and we consolidate down to one can we can sell it in on 22 well they work together what's the best debris so this was like a huge huge activity to be able to take IT an executive requirements and save money make it more efficient and actually at the end of the day make it better so at the time they took it at

that okay fine it's it's interesting at when I got done with that I left that position of like what did I do that looking back now and reflecting it was actually a really good experience because again it was similar to the audit role and you had to translate up and down the organization so and here are some of the lessons when I learned from that particular experience HR doesn't understand technology very well I think that's a pretty pretty good blanket statement next one many high-level executives also don't understand technology very well because I really had to test my reporting and reporting concise and details and get to the point i also really learned the importance of explaining actual costs

and the return on investment so are we really getting what we're paying for or is this one that was free actually give us the best benefit and then they're really the probably most challenging piece of this particular role was how do all the 3,000 systems fit together in the bigger picture why is this system recruiting and this one is onboarding and what's the difference and why do we have both and why is it this location versus allocation so being able to tell that in a big picture was really really challenging so I left HR management executive level and when it's more the security privacy officer position so on from a manager to an officer level which again gained more

responsibilities we see some some of the mind map here that is an example of just all the different things that sisa would do and that kind of passwords to my current role and really what I'm doing now with with the startup company is demonstrating how it's supposed to be done using our company as a showcase to say okay there's a way to do it and there's a way to do it right so we're going to show you the right way to doing that takes a lot of work and then being able to explain why we did this particular firewall versus that firewall well we open this pork well we don't look at this port while we have this for

identity access management but we don't have that so having all these things in place again and it's not just knowing it for our organizations but to be able to tell customers about it and have them buy into it and have them understand it and then also have them say yeah that makes sense and you know we should do that here so again this whole translation piece comes back comes back over and over every client has a different problem they're trying to solve and it's really not the tool that's the solution a lot of times it's how you implement it what you need to implement tool agnostic they still got the same problem also find out from this

particular role is that the ability to fully explain something and then support why you need to do it one way as opposed to we get many clients that say hey I just need to be HIPAA compliant whatever we get those checkboxes done that's all I want to do I don't want to do whatever's best practice I don't care if I have a you know my front door is unlocked as long as I can say I'm HIPAA compliant that's all I need and so that's a really hard conversation to say well you might want to put that lock on the front door and this is why I'm helping them understand risk management the theme of risk management keeps

coming in over and over and over again and then expanding expressed on de question of why and then again I piece so here's what all those stories kind of come together and this is kind of the recommendations or where it fit so the keys to successful communications telling a story having that good story to tell using analogies and examples which will go through finding out what words are triggers for both sides of the coin so knowing what word will then spark an interest in either an IT person or an executive and then finally creating that bridge putting yourself in their shoes what do they really need to know what do they not need to know where

are you just the expert and if you can prove that your expert then they will just say okay I get it I'm listening to you you're the expert I'll do what you say so here's an example of telling a story walking through this so this is an example of a bank and two factor authentication so this was part of one of the trainings on that we had done and it was explaining the difference between a threat the Vanar ability to threat the incident and the actual breach so you have an online checking account weak password that's a vulnerability a threat hacker could use a tool to get that password that might be a threat you have

some controls in place to hopefully would stop that that's where your two factor authentication would come in if it doesn't stop it you just keep that weak password the incident is that would able to bypass those controls view account data compromise confidentiality that's your incident and actually the breach is they would steal it data take the money whereas I may be so using that analogy of a checking account has people understanding as opposed to saying well a security vulnerability is a CSS score of this and it needs to do this in a nice to this and the threat is that some bad guy might do this normal users aren't going to get that for the most

part they'll understand breach probably they'll say oh I hear about that breach in the paper but they won't know they're between a breach and an incident another example explaining surgeons knowledge service so try explaining that to somebody who doesn't know anything about computers it's challenged the analogy that I've used in the past is think about going on the inner everybody's done it right you know how it works except this normal is good except for this day whatever reason the traffic on your state is completely jammed don't know what's going on just know it's completely jammed if you play okay I can I can envision that nobody can get on nobody can get off all right

okay I'm sitting in traffic is jammed I understand that's your denial of service means you can't do anything else it's completely locked everything up eventually it will clear out hopefully and you get out the air state now oh okay I get that obviously gotta fill in the holes a little bit more there but the analogy they will get they'll understand getting on the interstate as opposed to you tell them the technical components of it and this is how it actually works you overflow with packets and you this news no whoa what what's a packet I don't get it so magic words buzz words they might hear these thrown around the office may be here executives

reports with this but you know they want most executive on with you think outside the box it's the early mean hit you hit the nail ahead on that one can you please go on a deeper dive a game changer this is a I heard this a lot don't boil the ocean don't try to do everything but yet we want that quick win ok hit that low hanging fruit that's a return on investment again so these are some buzz words that you might hear throwing around specific security buzzwords confidentiality availability integrity the CIA a lot of the executives won't really get that you know it's more than we talked about security risk that is one where actually

it is pretty committee um pretty effective across both sides the specific technologies the tools you go into a specific tool or specific technology people aren't going to get that and then through in their budget as a security magic word so if you kind of get your point across and your budget in there or looking for budget or me budget that seems like that comes up quite a bit magic words for executives so a little bit different flavor they want anything like strategy where's it's fitting the overall strategy how does it fit with our two year plan our three year planner six months where's the strategy what's the risk what's the cost is this going to be profitable that's a great

conversation with an executive trainers trying to have them understand that putting in a IDs as profitable they don't get they understand because it doesn't make them money they can't see a check coming in so if you try doing the other side say well this is how it's going to decrease the risk they'll say well how much okay if it didn't make us money how much did it safe well it didn't do that either so what's that really looked like from a cost perspective you have to you have to you know play around with what those needs are a little bit from a property listing point so schedule timeline that's another question that will ask is well

how long is it going to take and at the end of the day we put that new idea IPS in what are the deliverables what is actually in the day what's needed and then the last question is a lot of times from an executive side well okay we do always think I did how does it impact that end customer that end user is it going to make it slower for them faster than for them so I'm going to call me and complain about it you know what is what's the impact to that end customer so knowing that these are kind of the triggers for that executive is important to know so that you handle that in the

recommendations so bridging the gap to allow these images from place like fine I really like this one that you have your nice fancy bow tie bits only and that cables but you know understanding what technology actually does and how it fits into the bigger picture that's one of the keys to bridging these gaps most executives don't want to understand the bits and the bite but if you show that this is how it fits into the bigger picture this is how it fits into the strategy that will help them understand why it's important how it relates to other technologies so we have an IDs and you kind of maybe understand what that means we also have dlp or maybe we have

a firewall that does this but we have a solar device that does something similar and then asking the right questions to get the right answers if you have that Q&A section with the with the executive making sure that whatever in whatever question they would ask you have the right answer from the technology perspective but also an answer that they're going to understand so this is this is going from the executive level that this is what I T should do to communicate up to the executive start with an headline very first thing is throw it through a headline out there this is what we're really talking about don't go straight into the details provide the purpose and

the impact that's really that why and make it very short and to the point bring in the strategy connection you know as I said before our strategy is to grow by X if we do this this is how it relates to it if you can't make that strategy connection with with what you're trying to accomplish or whatever that I t is where that problem is or how you can't get to the strategy because you have a prom a nightie you probably lose that executive the budget in the costs they were always asked about budgets and costs you don't have that indoor if you don't understand what they mean or if they're not accurate it's really going to cost five dollars what

you want tell them that to eat I'm a dollar that's not going to go over well in fact customers schedule and then really focus on the future as opposed to the past many times the executives don't want to hear we've had three years of this problem and we just need to fix it now I know if you say well in the next three years we're going to be able to ABC and D because we do this that's forward thinking that provides more emphasis to your solution or what you're trying to accomplish there so the executives will respond much much better to those things okay going a little bit further here so don't spend too much

time on the details but hasn't prepared for the questions brevity is very important here get right to the point make sure you get enough information that executives so they know exactly what they need to make a decision it seems like time after time when you have to have multiple conversations or the same thing you don't get as much success as opposed to if you give them enough information right off the bat do you'll make a decision they can then do that and get it back to you quickly or get back to you right in the spot there think like an executive think okay if I'm running this company what exactly do i need to hear what's

important I know the bits and bytes are important but what is some an executive perspective if they've got a hundred things to think about what's really important about this particular issue and then communicate like an executive you know look at what kind of terminology look at what kind of styles they use so these will be for all my executives in the room so let's give me a little a little different but you know I also put the expectation on the executive you can't always blame IT for bringing the problem Williams security for being the problem from an executive level you need to make sure that you pass out and say look when you meet with

me this is how much time you have you have five minutes to get your point across the persons are preparing for two hours this is how I went to be communicated I want you to send me an email or I want it just to be a presentation or I want a summary send me a text I had several executives I've worked with that you would send them an email nothing you'd send them a text you get respond like that so it's knowing what that person needs from a communication style as for examples are analogy so if you're an executive and you're trying to understand from a technology perspective say okay I really don't get what you're saying give me a

different example and then do some research i got these books up here just as example that you know from an executive side you should take some ownership because I t is certainly and security is a certain part of their organization know what the heck that really means it doesn't mean you have to configure you know a specific system but you need to understand the high level what put things are so recommendations at an entry level so if you're just starting out in the field of RIT or security this some things to maybe think about as you move forward so try to understand more than just your specialty learn learn learn I run into a lot of

people that they're like you know I'm a pen tester I'm willing apprentice so that's all I do and I don't do anything else I don't want to understand any of the strategy stuff I don't understand anything over here on defensive I don't understand no you need to you know you need to expand out and learn the broader sense of what I tia is what security isn't even from an organization perspective you can you know that's kind of getting that next level job shadow or an internship get more senior level mentor get an actual mentor in the field get somebody that's an expert to give you some advice uses people get to a senior level or more than happy do mentorships

and you know provide some examples get some of those lessons learned out there ask for analogies and ask for feedback so as an entry level there's some things that you do right now even even if you don't know everything something you get to you know right now you can start doing these things let's move up the chain more of a mid-level this is the point where you should hopefully start understanding the business strategy being able to explain that strategy understand where you fit into it understand where your team fit sent to understand where your peers fit into it get a good understand recent understand the likelihood in the impact start or join a peer mentoring group and this

really is around if you are the help desk guy start meeting and networking with the networking guys with the development guys you know cross laterally at your level get that relationship and have them understand what you do and what they do also so you get that relationship you get an understanding of what everybody's doing and then also build relationships with finance HR audit legal etc so go beyond just IT has those connections and all the other different departments of the organization big enough to have those um an executive level so looking from the top down these are things that I would give recognition is from an executive level they should be doing get educated take classes an IT take classes in

security and privacy meet with mobile multiple layers of security not just management I see this far out and then you know your sea level person is just meeting with your director of IT or your director of X particular area not very often does the CEO go down and talk to the programmer and I think that's kind of a mess you know I know they're busy but understand really what every person I organization as much as possible what they contribute you get that kind of involvement and you get people to understand that look you're not just a number you're actually here for a reason that's really important a good recommendation I have for an executive is get involved with an incident from a

security site and get involved with insurance file not just when it happens not just when you get that high level report that oh we just had a we just had a little blip yesterday and the executives are okay no big deal but actually go from that process from beginning to end nothing frustrates me more than when something comes out of the blue and you're not sure what happened beforehand you think that's just easy if they're involved with the instant response process so slow getting appreciation of well this is actually really complicated actually there's a lot of pieces in here ok I understand that you did forensics work I get that now um last thing for an executive-level

go to conferences go to black hat go to DEFCON what a corn college is just here in Iowa um you know getting your eyes exposed to the capabilities out there you know a lot of times I'll talk with executives and like oh security you know that's like that home depot thing that's like anthem and that won't happen to us and you know there's only a couple people out there that actually can do this right it's like no you need to go to a DEFCON you need to go to a black hat Oh before you go you need to do this before you go you know don't be the stone to this but when you go there get

your eyes open to the capabilities of this community it's amazing it's scary amazing so that would be my executive level of recommendations in summary wrapping things up you know tell stories use example of analogies they can speak alike put yourself in the other person's shoes well you're an executive looking down at IT or IT looking up at an executive-level put yourself in their shoes what do you really need to know and then if you're in a nightie looking up an executive level and you think you need to take up an hour realize that executive movie won't have five minutes you need to condense it down put yourself in their shoes really focus on delivery & style get all the details so

you've got enough information most people in this field get that they have the details folks on the overall strategy and then provide the question of why the answers to why that's me I'll open up for questions we will challenge with this area specific challenges yeah

yeah so um the questions are our metrics so there's there's lots of different metrics and maturity models out there I haven't found one that I really fell in love with so what I do is actually create my own maturity matrix that would show this is what good is and how to measure good this is what not good is and how to measure good so you know they're not specific ones depending on what you're trying to get across there's you know each one has a metric but metrics is a hard one um and especially doing our way that's a hard one to actually give it this is a 3 out of a five usually gets that out of more I

tiata type questions of the responses but yeah metrics is a hard one so I don't have a specific you go to this particular website other questions yeah give the recommendations that works specifically within product security as opposed to IT security because executives in that area would always see security at the cost right yeah I would say from the product side the hook into the executive is the impact of the customer and and really showing that we would suppose more specifics on products might even better understand but you know if you explain from a customer perspective how you're going to make it easier better faster or them usually those things well sometimes equate to you can you can charge more

money for this product because it's going to make it easier it's going to make it faster yes Curie is a hard one to to respond to from an executive level or you know support the cause an executive from from products for sure others

thing else I had a question sure on this one I mean weird situations I'm more on the vendor side and lift our theory they are trying to get part of the sweet the message and what to convey this is an excellent I think it clarified a lot of things that maybe I ought to be mistaking doings being a little overly technical with the exact and like that but what's the best way to get a seat at that table how to initiate that conversation and get that get your get your time with the things from an outside by the perspective yeah um yeah so kind of question is from an outside vendor perspective how do you

successfully get into that company to get your product in their future service in there um what's been successful with us there's a couple different things one is its building that relationship so they trust it you'll know what you're doing you're doing on behalf of them as opposed to just pushing your product just to make a buck having confidence that your product actually will solve their problems and no we're fifth into they were instruction we're going to organizational strategy again I would go back to looking at in a family the company is you can probably figure out where directions are going with strategy white major components they have and if you can fit your product into that

that's usually a really good hook but actually getting in front of them relationships knowing people having a good story to tell and referrals usually are that are the key for us to be on get in sometimes you know sometimes situations will happen will be a local incident that's another good time to be like k just as a reminder we're here to help you out sometimes you get to advantage those incidents others anything else cool thank you for your time appreciate it guys