a16z Podcast - a16z Podcast: Getting Security Right Isn’t as Hard as You Think (But the Effort Never Ends)
Episode Date: April 29, 2015The paradox of security is we pretty much know what we are supposed to do most of the time -- but we don’t do it. If you examine all the recent high profile attacks, somebody in the organization ...knew something was wrong before it happened. They just didn’t have the ability to escalate the problem, or the ability to raise a flag that people took seriously. The lack of foundational security hygiene is what makes companies vulnerable to relatively mundane attacks, which are far more likely to hit your company than some sophisticated nation-state mounted attack. “There’s this misconception that we can’t defend against these attacks because we can’t deal with the sophistication of the attackers,” says Tanium CTO Orion Hindawi. “In turns out, we should just be doing the good hygiene we’ve all been trying to do for the last 20 years.” In this segment of the a16z Podcast, Hindawi shares how to get your security hygiene right -- not just from a technical perspective, but from a cultural one as well. The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax, or
investment, advice, or be used to evaluate any investment or security and is not directed at any
investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash
disclosures. Welcome to the A16Z podcast. I'm Michael Copeland, and I am here at the headquarters
of Tainium with Orion Hindawi, CTO. Orienne, thanks for coming. Or actually, I'm visiting you,
So thanks for having me.
It's a pleasure either way.
I just saw, literally, I was coming up in the elevator,
I just saw that WikiLeaks had posted hundreds of thousands of emails
and more data from the Sony hack.
It seems to have been a pretty bad year.
I mean, it's a tough year if you've been a security person.
And 2013 was certainly a tough year, and, you know, a couple of years before that.
Is it getting worse?
So there are a couple factors there.
So the first factor really is that we're getting better at detecting that we've been attacked.
And so I think a lot of customers have invested.
in detective mechanisms so that they can see that bad things are happening and I think
we're actually surfacing a lot of stuff that used to happen and we just didn't even
know it was happening and we're detecting it faster now and we've got better
telemetry on what's happening and I think that's factoring into this I think
another thing that we're seeing that definitely is getting worse is that companies
are keeping more and more of their data online they've got more and more of this
data accessible to the internet because they're using it for customer-facing
activity and that opens up surface area vulnerability and I think the attackers are actually
getting a lot better. We're definitely seeing the sophistication of the attacks that we're looking
at increasing. And I think the volume of data that they can go after and the accessibility of that
data driven by business use, driven by the business that our customers are in and how having that
customer data accessible to the internet enables that business is giving them more to attack.
So I think of both vectors. That's true.
more out there, it's more valuable, so I'm a hacker, I'm going to go after it. But there's
this tension then between all these systems that we want online, all this data that we want
to put on like online that, as you say, is part of doing business. So what are the gaps then,
if we're going to live in this world of, you know, everything's connected, I can work from anywhere,
I can bring in 30-party vendors, and they can access my system to, what are the gaps then
that are need to be filled and, you know, that are making us in some ways more vulnerable?
So, you know, the irony of security is we all pretty much know what we're supposed to be doing most of the time.
If you're a security expert and you've been doing this for a while, we all know that they're just good hygiene things we've supposed to have done this whole time.
So patching your devices, having disc encryption locally on devices that have data at rest, having things like dual factor authentication and things like agents that are on endpoints like antivirus that are working.
the fundamental problem that I think we're seeing is that people aren't doing a lot of those things.
And I think the more that you integrate third-party vendors, the more that you have data that's present that you can access from internet-facing devices,
the more important it is that this basic hygiene get followed.
If you look at the attacks that we've been seeing, there's kind of this thought that these nation states with thousands of people are attacking every customer.
And that may be true in some specific cases.
But in many cases, when you actually look at the actual tangible attacks that people are seeing,
they're exploiting known vulnerabilities.
They're exploding customers not putting dual factor where they thought they would
or disc encryption where they should have.
And those are just block and tackle hygiene issues.
They're not actually these super sophisticated, you know, James Bond's style,
somebody's parachuting through a skylight minging into your data centers.
It is this misconception that we can't defend against these attacks because we,
can't deal with the sophistication of the attackers.
It turns out we should just be doing the good hygiene.
We've all been trying to do for the last, you know, whatever it is, 20 years.
And in many cases, our customers are just realizing that they've been failing for 20 years.
And now they're actually realizing the frequency that they're being attacked by relatively mundane attackers
because they haven't been doing all the things that they thought they should have done this whole time.
And they just didn't notice it.
So are you saying that the psychology is,
today among some folks
that look we can't win anyway
so why bother or is it that
well it wasn't a problem in the past
so I don't need to
sort of check all the boxes and do what I should
I think it's more of people
are realizing that they haven't been doing
all the things they've been told to do
for so long that they don't
believe it's possible to do them so
I mean I'll make an analogy
right I mean if I told you
that every day you had to
go and exercise 3
hours a day and eat perfectly and, you know, live an extremely healthy life every day.
Yeah, I clearly I do that. Yeah. Most people would fail, right? Yeah. If you knew that you were
going to die this year because you weren't doing that stuff, you'd probably make a really good
effort. Most of our customers have gotten to the point where they don't believe it's possible
to do all the things they've been told to do. So they're resigned basically to dying every year.
They're resigned to getting attacked constantly because they don't think it's possible to patch all their devices because they don't think that it's possible for them to get all of the antivirus and hips and disc encryption working the way that they were supposed to password policies, kicking off machines off their network that weren't supposed to be there in the first place.
I mean, these are all the problems our industry has been basically tackling for the last 20 years.
And now people have been trying because they don't think it's possible to do those things to find a silver bullet.
So, you know, I'm not going to name the names of vendors, but when you start looking at them, you'll start seeing some of these guys touting that if you install my agent on this end point, everything automatically gets fixed.
Right.
To extend your exercise analogy, it's like just take this pill, you know, or five minutes a day and, like, boom, you're done.
Even not that, right?
I mean, the idea is just exercise once in your life, and then it'll all carry over for the rest of your life.
And unfortunately, insecurity, that's never been true.
I mean, if you look back at the last 30 years of security, there's been a vendor every year that's come up with a new,
theory on how if you just do one thing, everything will be fine. And truth of security is
it's never been that way and it'll never be that way. You have to do eating healthy and exercising
every day if you actually want to keep secure. And there's no way to be 100% secure. But
the truth of the matter is if you look across the 10 biggest attacks this year, all of them
tied back to pretty mundane things that the organization knew they were supposed to do that they
didn't do. And really our emphasis from a security posture standpoint is,
It's great that we're looking for sophisticated insider threat from geniuses.
We should be doing that too.
But before you get there, or nation state attack prevention, which is almost impossible,
let's just do the basic stuff.
If I'm in charge of security or if I'm running a company, period,
and those that have kind of made that shift where they're not looking for a magic bullet,
but they're doing the sort of good hygiene blocking and tackly,
if you can describe that mindset and that sort of inviative,
that allows for that, what does that look like and feel like?
Okay.
So one of the biggest things that has to happen is the security and operations teams need
to actually become friends.
So if you think about what I've been talking about here, a lot of it is detected by security,
so flaws in the environment that aren't really up to the compliance standard that the organization's setting.
And the operations team is often responsible for fixing it.
So we've been talking about patches or antivirus updates or being able to do things like disc encryption.
those have to involve operations.
And one of the biggest problems that we see in enterprises that we work in
is that those two teams are not 100% sync.
The operations team is really worried about some problems.
The security team is worried about a completely different set of problems.
And until those two teams really get on the same page,
it's not going to work.
Because there's going to be a huge gap between what security wants to happen
and what operations is actually doing.
And so the most successful organizations that we're seeing,
and we would encourage all of our customers to move in this direction.
You've got security and operations really joined at the hip,
both understanding this is an existential threat to their organization if they don't do it well,
and really coordinating on finding and then fixing very quickly any gaps that exist in the org.
Is that relationship, you know, is operations worried that their ability to function gets hampered by security,
or is it more that security sort of doesn't know the ins and outs of,
and vice versa, ins and outs of what operations does and, you know, and doesn't therefore
know how to attend to it?
So, I mean, there are a few things.
So one of them is operations is really responsible for keeping the organization working.
And the more change you make and the faster you make it, the more likely it is that
you're going to break something.
And so security always is super urgent when it comes to, you know, we've got a flaw,
we think it might be exploitable, we absolutely need to fix it.
And operations typically is going to look at it as, you know, how do we make sure,
that we're implementing the change at a rate
where we're not dooming the org
to having a huge business outage
because we changed something and it broke something.
And so there's a natural tension there.
What's really important is that security
actually understand why operations
wants to be deliberate.
And conversely, operations needs to understand
why security is so urgent.
And the reality is you really can do something
in an hour across the largest environments
in the world.
If everybody gets together,
you've got the right tools,
right tools and you're pushing as hard as possible. And I know that sounds hyperbolic to a lot of
people because many people are going to listen to this and say, you know, if I'm running the
largest enterprises in the world, I've never done anything in less than weeks. Right. And the
reality is you can do it in minutes if the tool set is upgraded to allow you to do it. And if
everybody understands the urgency and the requirements to make sure that the operational focus of
the environment is maintained. Right. And it's urgency not in the sense of like, okay, let's all freak out
now. It's urgency like, okay, we have a plan. You know, it's DefCon 5, push the button, let's go.
It's urgency in the sense that if you look at every one of the attacks that we saw,
somebody in that org knew something was wrong before it happened. They just didn't have the
latitude to escalate it. They didn't have the ability in the organization that affect change.
They weren't actually screaming from the parapets, we need to fix us, and having anybody listen.
And what you see in the best run environments is that security has a seat at the highest table
and they're able to really raise a flag and as soon as they raise it, people take it very seriously
and they understand the requirements in the organization not to blow the organization up because we're moving too quickly.
So urgency doesn't mean let's run with our hair on fire around and try and fix every issue without thinking about it.
Urgency means that we can't afford to just forget about these things and bring them up three weeks later
and then probably forget about them then
and bring them up three weeks later,
which in all honesty,
a lot of security organizations have vulnerabilities
they detected years ago
that are still not being fixed.
If that's the level of urgency
in the organization to respond to security need,
there's a very high likelihood
that they're being attacked successfully.
And it's shame on them.
And it gets back to this notion
of like you need an environment
where, again, people understand both sides.
Like, I can imagine that you don't want to raise the alarm
if that's going to, you are worried that it's going to slow down the business and or there's
been this kind of, you know, message from the top that, look, what we do is build the business
and we grow, grow, grow, and we go fast, fast, fast. It's hard to put on the brakes if you
see something in that sort of environment. So let me just say, I mean, you were asking about
the biggest change in the last year. The biggest change we're seeing is that there's board level
acknowledgement that this is an existential threat to the business. So it used to be that security
was annoying, and often it was kind of, we'll accept this risk, the likelihood that it's going
to actually cause massive damage is pretty low. If it is, we can probably contain it. We probably
don't have to disclose it. There were a lot of these kind of rationalizations around security,
and I think the watershed moment was the target breach where the CEO got fired, the board got
sued, the whole stack in IT got replaced, and, you know, potentially billions of dollars
of damage were caused. And when you take a step back and think about that, you know, I was
talking to a CEO recently, and he told me, and this is now a quote I've repeated a number
of times, but that, you know, he's got three existential threats to his business, nuclear
weapons, meteors, and cybersecurity, right?
Right.
And he never would have said that five years ago, and he admits that.
He says, you know, five years ago, I was worried about regulation and my China strategy and
my competition, and now I'm worried about three things, only one of which I actually have
any control over, right?
And so that change drives behavior across the organization.
You look at a lot of these big companies,
they're spending literally 10 times more on security
than they were five years ago.
And the reason is there's a realization
at the top level of the organization
that we can't kick the can down the road anymore.
And that having operations come back
and say, well, this is annoying,
is not a good enough reason not to do it,
which five years ago wasn't true.
You talked to a lot of large companies
who are grappling with this.
How is the conversation,
You talk about how it happens at the board level now
and at the highest levels of the company.
If I'm a company that hasn't been hacked,
is the conversation somewhat different
than a company that just has gone through a breach?
Yeah.
So there's this concept in our industry
that it's good for security companies
when their customers get breached
and it's actually not true.
And the reason it's not true
is that often what you see in companies
that have been attacked
is a very neurotic
behavior pattern for three or four months after the attack where they will pay anything for somebody
to walk in and tell them that everything's fine, which is actually not our business, right?
I mean, we don't really want to come in and tell you everything's fine or that we'll handle it.
I mean, it's really systemic change that needs to happen in the org for them to be fine, and we can't
affect that change they have to. But you end up with people who are getting fired, people who are
constantly in meetings trying to defend themselves instead of actually make change.
and I'm just saying, you know, generalizing across the hundreds of customers that we've seen,
but it's actually not a very fertile environment for good decision-making.
Right.
And so, you know, we will often get business out of those situations,
but it's not the kind of business that I actually prefer.
My preference is a deliberate decision by the board or the CEO or the management chain in IT
that they have to really reprioritize around security,
typically because they saw their peer get attacked.
Right.
And then they want to actually build a strategy.
So there's no real strategic thinking that we typically see in the two months after an attack.
Typically, we see hair-on-fire behavior, right?
People are getting fired.
You want to cover your job.
And those are not the kind of scenarios where we typically see thoughtful work.
Now, I will say this.
We have some customers.
I think Target is a great example of one of them that are extremely thoughtful,
and we're thoughtful in the aftermath of the brief.
They spent a lot of time building a real lasting structure, and I think they've done one of the best jobs we've seen in building a security organization.
They should be extremely proud, but unfortunately they're the exception, not the rule, in post-breach situations.
And how has the culture sort of shifted at Target?
Clearly, you go through something like this.
Everybody in the organization knows what happened and, you know, the consequences.
but then there's probably a tendency to sort of try and get past it and get on with business as usual.
So not a target.
What we're seeing there is actually a continual realization that security is a permanent thing they need to be really careful with.
So, I mean, that org suffered tremendously during that breach.
And I think, you know, there's more public on this than I can repeat here that, you know, gives context.
But they hired a great CISO.
he hired a great set of lieutenants, all new into the org.
And what he did that I thought was really nice was he looked at the premier security executives from across the community.
He hired a bunch of people from the Mandiant Fire Eye crowd.
He hired a bunch of people from other places like General Electric that were super competent people.
And he built an org from the ground up.
And he had the latitude to do that because the organization at the top level of Target, the CEO and the board,
mandated that they do a world-class job.
And, you know, when you look at some of the people he hired,
especially some of the Mandian people, they're exceptional people.
And I think he's built a kernel in that organization
that's going to insist on an excellent org.
And that's a sea change from where they were two years ago.
Let's say I'm not Target.
I don't have thousands of employees and, you know,
thousands of stores for that matter.
How then on the spectrum do I want to view security, you know,
as a smaller company, but then also take us up to a big company.
And I also want to circle back on your view of this personally, like how it seems so
sort of forbidding, but maybe it shouldn't be.
So I'll say kind of a general thing first, and then I'll go through the spectrum.
Security is scary because it can cause massive damage.
The same way that, you know, a lot of things.
things in our lives are scary. Cars are scary because people die in them every day, and most
people aren't scared of cars. They just realize they have to drive carefully, right? Security should
be treated the same way. You should just be prudently cautious about the fact that if you have
vulnerabilities, you should be fixing them. If you have users who are being added, you should
make sure that there is multi-factor enabled on them. There are just kind of these good habits
that everybody knows they're supposed to follow.
And a lot of organizations look like
they're driving 120 miles an hour drunk, right?
They're not doing any of the things
that they should be doing.
And as a result of the fact
that they're not doing those things,
they are really prone to accidents, right?
There are rules in security
and in operations in general.
You should be going and monitoring
your network traffic in specific ways.
You should be implementing firewall policies
that make sense.
You should be patching your assets.
You should be figuring out what data is being exfiltrated from the endpoints so that you can actually see it.
You should see where your critical data is and data leak protect it.
There are things you should be doing.
And that's exactly analogous to driving 65 miles an hour on the freeway, sober, and paying attention to the people around you.
Right.
So when I hear people who are kind of terrified generally about security and feel like it's an out-of-control situation,
those tend to be the people where, from the analogy, they're not driving anywhere near the speed limit.
and they don't seem to care,
and they just want to get wherever they're trying to get as quickly as possible,
and they're getting into accidents every day.
And there's a direct correlation between their behavior and the results.
So my assertion would be there's good hygiene that you should be practicing in security and operations.
Everyone knows what it is.
Let's just do it.
It turns out that if you do it, you feel a lot better, and the results are a lot better.
It's exactly like exercise or like driving safely.
Let's take it to really basic things that everybody knows they're supposed to be doing.
So that's the first thing I'd say.
The second thing I'd say is Tainium is focused primarily on global 2,000 companies for a reason,
which is there is not the capacity in small companies to do the same work that our biggest customers are doing.
It's not that they shouldn't be doing it.
It's that they don't have security personnel on staff who've been through years of training
and have years of experience in ferreting out advanced threat.
They may be attacked.
In some cases, we're seeing stores where they've got 1,000 employees in 10 stores.
and they're being attacked.
Yeah.
And the reason is they've got credit card data,
and credit card data is valuable.
I don't know that they have the wherewithal
or that they should be trying to build the expertise
to deal with the same attacks
that a target or a Walmart are trying to deal with.
Now that said, you know, again,
there are some good hygiene things they can do.
There are endpoint solutions
that are designed to be heuristically kind of preventative.
So you think about antivirus
is kind of the most simple one.
And you look at things like, you know,
host IPS or,
some of the other solutions that are being released on the endpoint that are really heuristic.
You set them and forget them if you want to think about it that way.
You should probably deploy some of those, but I'll be honest, that's not our area of expertise.
Where we start playing is when we've got a 5,000 or 10,000 seat org.
They've got enough data at this point where it potentially could be a huge disclosure issue
if they actually get attacked, and they typically have a security set of personnel in the environment
because they can't afford not to it, right?
I mean, it's, again, a risk reward, risk benefit, if you want to think about it that way.
In the end of the day, if they don't have these people, then they stand to have huge risk.
And so they'll expend the cost to actually build a practice within the org that allows them to kind of understand their security posture.
When you get to that point, there are a few hundred things you should just be doing.
And, you know, this is kind of the theme of the discussion, right?
is that, you know, we should start making sure that all those 200 things are done.
So password policies, domain presence, being able to have good ideas of what's connected to the network
and being able to see whether devices are unmanaged and bring them under management,
making sure that managed devices are being patched correctly and that the applications that are on them
are actually the intended applications, that they're being upgraded appropriately.
You know, just kind of block and tackle IT.
And assuming that that's done, then you start getting to the next level.
So we have many of our customers who are starting to do outlier analysis,
heuristic analysis to determine whether behavior patterns are changing,
looking at things like insider threat.
I'll say, though, I mean, when we walk into companies,
we've now deployed this thing in hundreds of companies
and we've seen a cross-section of the Global 2000 that, you know,
it's a pretty interesting cross-section.
I think maybe one or two percent of the companies that we've walked into
really should have started talking about insider threat when we got there.
Right.
The other 98-99%, they weren't through the just block and tackle stuff.
And it's so fun to talk about insider threat in nation states and cloak and dagger.
It's just a waste of company resources unless you've got the framework built correctly.
To even approach that kind of attack.
If you haven't dealt with your patches, you should be worried about kids that have access to Google, not nation states that want to attack you.
That's kind of the point I'm making is that, you know, they're,
There are thousands of people that are professional attackers that are nation-state level or criminal
attackers who can get into most companies.
There are millions of kids with Google who can figure out how to exploit known vulnerabilities
that aren't patched.
Right.
In some ways, the nation state is the meteor that hits you, not the sort of security breach
that happens to a lot of folks.
I mean, I think serious people in security have realized a long time ago that give an infinite
time and infinite money, a nation state will come at you and will succeed. The reality of the
situation is very few companies, very few are equipped to actually deal with that threat in any way.
I don't even want to use the word prevent because I don't think it's possible, but even deal
with it. I think you look at our intelligence community, they're fighting a war with other
intelligence communities and nation state actors outside. They are probably more equipped, but the
truth of the matter is this is a bloody conflict it's not a clean we keep everybody out everything's
perfect we go to sleep at night and everyone feels good even for them well and so as a company
uh i go through the 200 things that i need to do i might even look at insider threat sort of
risk um and then what then i just need to keep it up i just need to keep the sort of regime going
and stay fit and stay sober is that so here here's what i would say there's an almost infinite
amount of optimization that you can do in security. When you've got hundreds of thousands of
assets, everything that could be going wrong is going wrong somewhere right now. You'll never
get perfect. And the goal is to reduce the surface area as much as possible by tamping down the
obvious stuff, the most obvious, and then moving up to the slightly more obvious or less obvious
and then moving up to slightly less obvious and so far until you get to really esoteric
kind of vulnerability. Most of our customers are at the first level of that,
when we walk in, our goal is to ratchet them up a couple levels of less obvious vulnerability
and give them the tools to keep going.
But the reality is, given the flux of environments, given the virtualization and cloud computing
that's happening, given the mobility and BYOD and all the other things that are happening,
the perimeter being dissolved in many companies, in reality even if they don't want to admit
it, it's a never-ending process.
And unfortunately, it's two steps forward, one step back in many companies, because it's
As soon as you've stepped forward, two steps as a security org, somebody from, you know, one of your business units comes back in and has an awful idea that they want to do something.
And as soon as you hear it, you choke a little bit because you realize that this is going to obviate a lot of what you just did and you're going to have to figure out how to deal with it.
And so the other point that I would make is we can't build the security house for our customers.
What we can do is give them really effective tools that they can use to build the house.
and when somebody wants another bedroom added
or a wall knocked down to make that as easy as possible
and to confirm that you did it right.
I mean, you know, to take the house analogy a little further,
many of our customers are constantly knocking down walls
and they don't even know which walls are load-bearing
and then the house crumbles, right?
You need to actually have a good view of what you have.
You need to understand how it works.
And again, you know, I've said this many times before,
but many of our customers don't even know how many computers they have.
So when you start with that level of lack of knowledge, you can't knock down walls in the house.
You can't make any change and have any confidence it's going to work because you don't even know what you have.
You don't know what it's supposed to be doing.
Once you know that, then you can start planning.
Well, what's the deficiency between what I have and where I want to be?
Somebody comes in and asks me for a change, how's I can affect what I have today?
How do I want to pivot so that I can minimize the security impact of that change?
or actually maybe allow that change to drive more security posture for the work.
But the first step is just figuring out how many bedrooms are there in the house?
Where does the house even sit?
What does the foundation look like?
And many of our customers, before we walk in there, don't have any idea.
They don't know how many subnets they have.
They don't know how many computers they have.
They don't know what's running on those computers.
They don't know where their data is.
Security is impossible if you don't know those things.
Right.
It's not hard.
It's impossible.
So we would assert that you have to solve those problems first, get the hygiene in place,
then let's go worry about everything else.
Orion, thanks so much for the conversation.
You haven't scared me.
You've actually made it seem like this is something that's doable.
It's absolutely doable.
We're seeing our customers make progress on this constantly.
You just need good tools and you need to have the discipline to use them.
It's that simple.
And I do think people are getting better at this.
I don't think that this is hopeless in any way.
I think, you know, kind of the fear-mongering aspect that people are so exhausted by insecurity
is an admission that if you don't do this stuff first, you don't know how to do it.
Right.
That doesn't mean that it's hopeless.
That means you just need to do this stuff first, and then you actually have some hope.
So I think this is actually a very hopeful message, and I think people should see it that way.
Well, it's work, and so I guess we have to get to it.
Right on.
Thank you.
Yep.