The Retail & Hospitality ISAC Podcast 4.24.24
Ep 49 | 4.24.24

How to approach cybersecurity compliance, the female founders of the RH-ISAC, and the monthly intel briefing


Luke Vander Linden: Hello. I'm Luke Vander Linden. I'm the vice president of membership at the retail and hospitality information sharing and analysis center. And you are listening to the "RH-ISAC Podcast." Well, I don't know about you, but if like me you were one of the over 400 attendees of the RHI-ISAC cyber intelligence summit in Denver a couple weeks ago, you're probably still recovering. There was something in the air at this year's summit. Could have been the elevation, but I think it was you, our members, who made it so great. One of my colleagues who you know well, Lee Clark, will join me on today's episode. As usual, he'll update us on any breaking news, but also we'll talk about some of the sessions and interactions and events from the summit that really stuck out to him. I'm also going to sit down with Alex Douds, VP of cybersecurity services at Specialized Security Services or S3 to talk about some of the emerging cybersecurity trends they're seeing. And we bring back the amazing Suzie Squier, president of the RH-ISAC. She's been joining us with a plus one for the last several episodes interviewing some of the founders of the RH-ISAC in celebration of our 10th anniversary. Speaking of our 10th anniversary, we announced at the summit a new event for us partially in celebration of that first decade, but also to convene our members not in a traditional summit or conference type setting, but with lots of different types of things happening over the course of several days. What does that mean? There will be some professional development and training, a CISO forum with facilitated and open discussions, in person working group meetings. I think that's really cool to bring these working groups from virtual to in person. And of course our member meeting 10th anniversary celebration sharing challenge and peer choice awards ceremony. Amazing diverse get together. The week of September 23 in Minneapolis hosted by Target. And, like I said, it's not the summit. We're calling it member exchange live, member exchange of course being one of our sharing platforms online 24/7. And this is member exchange live and in person. More details will be coming out so don't ignore those emails you get from us or post on social or slack. That was a bit of a digression. Sorry about that. Back to Suzie Squier back on the podcast with not just a plus one, but a plus two. She sits down with Diane Brown, RH-ISAC board member and treasurer. She is the VP of IT risk management and CISO at Ulta Beauty. And Debbie McMahon, CISO at Dillard's department store. One more thing I forgot to mention. Starting in May and really continuing through the rest of the year we have eight regional workshops planned. We go to where our members are. So we'll be in Amsterdam, Atlanta, Chicago, London, Los Angeles, Toronto, Washington D.C. If you are near or can get to any of those cities, please join us. We'd love to see you. I'll be at several of them. Don't know which ones yet. They like to keep me guessing. But you should make plans to come. All of the information for these and our fall member exchange live will be on the events calendar on our website as those plans are firmed up. And of course if your company is not yet a member of the RH-ISAC, this is the perfect time to join. Go to to learn more and to start the process. All right. On to today's episode. [ Music ] All right. I'm excited to be joined now by Alex Douds, VP of cybersecurity services at Specialized Security Services Inc or S3. Welcome to the podcast, Alex.

Alex Douds: Thanks so much for having me, Luke. I appreciate it.

Luke Vander Linden: So I do like your name, how it's Specialized Security Services and then S3. Makes sense as the abbreviation. But tell me what it is for those of our members and listeners who are not familiar with S3, what it is you guys do in our space.

Alex Douds: Sure. Absolutely. So S3 is a cybersecurity consulting firm that has a number of different lines of business. Primarily essentially we we're composed of assessors who are kind of what I refer to as the auditors that can, you know, work the PCI, NIST, whatever. What have you. Numerous different compliance and security frameworks from that perspective. And then we have our engineers who are ethical hackers who are the real technical guys that can -- well, hopefully not break into your systems, but will try to.

Luke Vander Linden: But will try to. Right. So from your vantage point looking at multiple clients it's kind of neat that you have this view. What are some of the emerging trends or compliance issues that you're seeing for retail and hospitality businesses for 2024?

Alex Douds: Yeah. A couple, couple things, I wanted to go over today during our time together. Just a couple things I wanted to discuss which is AI. That's I think been first and foremost on every CISO's mind that I talk to. A lot of our retail clients are either interested or using it or scared of using it depending on their risk tolerance. So, you know, wanted to kind of discuss what we're seeing out there and what we're seeing folks do and what we feel is probably some maybe good first steps for retail and -- yeah. Go ahead.

Luke Vander Linden: It is funny because I've seen just as the discussions about AI and our community have taken place over the last year or so a real evolution in approach. And no matter if a CISO or a company was hesitant to address it or obviously against its use, I think there's now a realization that it's happening. It's being used by employees. It's being used by threat actors. So it's something that you have to address and have policies around.

Alex Douds: Yeah. And actually perfect summarization. And you're right. I think -- I think the speed at which it's happening, I mean you mentioned that 12 months, I mean who would have ever heard of Chat GPT, right, 18 months ago or something like that? Right? Now everyone knows what it is. Yeah. And the second maybe big trend that we see that I may want to quickly discuss is how organizations reach out and -- you know reach out in hospitality or are starting to kind of align their compliance and audit needs, you know, across numerous different compliance needs that most organizations have. You know, PCI, SOC, SOX, S-O-X and S-O-C, right? Just there are so many different compliance and regulatory needs an organization needed. Where have I complied with? And how do they create efficiencies and align those needs internally? I thought would be a good discussion to have.

Luke Vander Linden: All right. So this could be multiple hours, this discussion.

Alex Douds: Well, yes. So we'll try to be -- we'll try to be efficient. Right, Luke? I mean.

Luke Vander Linden: So let's start with AI then. So are you thinking about like acceptable use policies or just approach in general? Tell me what you mean.

Alex Douds: So and you know like you said we could talk about all this for a few hours, but let's -- let's be aware of our time and constraints and keeping things efficient for our listeners here. Yeah. I think the best place that you always want to start in any compliance or audit requirements is the policy. Right? The policy, the processes, the governance. What -- so that means management deciding how are we going to use AI. Are we going to use AI? What are the risks if we use AI? And let's give our employees some guidance around AI. Right? So we're starting to see compliance frameworks or compliance guidance issued by organizations. The first one out of the gates has been ISO. So ISO just released ISO IEC 42001 2023. When I say just, this is December. So it's a couple months old, a few months old, four or five months old, whatever, at this point. So, you know, and they're doing exactly what we always recommend. Right? They're providing a framework, but what they really start talking about is the governance aspect and giving the employees the guidance and understanding of the acceptable use of AI. Right? And, you know, a few things maybe that would be valuable for your listeners about what they kind of say and how they give us guidance is you know kind of the tenants of the sound AI policy. Right? You have your confidentiality and privacy. So ensuring personal information. And, you know, also company intellectual property are not used in an unexpected manner. Right? Transparency. Again this is -- this is why you have policy and procedure so that management understands AI use, is aware of AI use, and employees understand AI use and what management's intent is for AI use in the organization. Responsibility. You know, it's always critical who assigns responsibility, who's going to manage AI, what kind of AI tools are we going to, you know, allow into the organization, and who's going to be, you know, in the end responsible for that. From a customer perspective, right, data governance, making sure that we have the appropriate data governance in AI, right, depending on what kind of data we're using in AI. Do they align with regulatory and compliance requirements? Does retention of that data align with our legal requirements? You know, a lot of things to be considered there. Right, Luke? Access. Who's got access to the AI? Who's got access to the AI's data? Who can modify the AI? And AI can obviously potentially be used for nefarious purposes. Right? So we need to, you know, ensure access is controlled appropriately. Incident reporting and disciplinary actions. What happens if someone, you know -- something happens with the AI. If the AI's down, if the AI's acting funny, if it's providing us bad data all of a sudden, you know that's going to follow your standard incident reporting process. And what's going to happen if someone misuses AI in the organization? How do we approach that? You know we've got to make sure to tell people in an acceptable use policy what they can and cannot be doing and the consequences for that. So you know I think these are all very important areas that need to be considered by retail and hospitality management that's going to go down this road.

Luke Vander Linden: Right. And it is fascinating the differences between what you might call off the shelf AI tools that are out there in the wild versus tools that some of the applications that you use and support that are being added to the tools that you use -- and then of course you can have your own bespoke in house AI products as well. And I guess the policies would be different for each of those use cases.

Alex Douds: Yeah. For sure. And we're seeing -- we're seeing different approaches to that actually in the retail and hospitality industry. One of the largest retailers in the world that we actually work with has in the last six -- I think it was about six months ago management came down and said, "We're not going to use AI. You're not to -- you're not to access Chat GPT or any other external AI systems through company work computers."

Luke Vander Linden: That is -- that is I imagine nearly impossible to enforce.

Alex Douds: Well, yeah. You can -- if you're doing it through company owned work stations it obviously becomes a lot easier. You know, you can't really obviously enforce a person's personal computer effectively and then what they're -- you know, if they're getting proprietary company information into Chat GPT. You know God forbid someone in internal audits trying to write a report using Chat GPT or whatever. But, you know, that's where policy and procedures can only go so far. But the point is from a -- you know from a legal and disciplinary perspective that's always where you start. Right? You have that policy. You have that procedure. You communicate that. You're transparent with your employees if that's the expectation.

Luke Vander Linden: Right. That's where you start. But I think then the next logical step for us to discuss is implementation. So you can have a great policy, but how can companies ensure that they're effectively implemented?

Alex Douds: Yeah. I mean that again -- that again in regards to that is really to make sure that you're communicating that. There's various -- there's tools you can certainly use from, you know, you can -- you really you can't -- you can certainly control access to external AI from within your organization. Right? I mean more organizations may build a black list. You know, gambling sites, etcetera, whatever doesn't follow the acceptable use policy for years and years and years. So that's relatively simple. The key to implementing an effective acceptable use policy in my opinion is always going to be education of your employees. So you really help them understand how use of AI that violates the acceptable use policy can negatively affect the organization. You know, help your employees understand the risks so that they -- they can buy into why you're, you know, taking this approach. Because if you don't in the end, right, Luke, kind of what you said. If you don't have employee buy in, people are going to ignore it.

Luke Vander Linden: Right. So like many things it comes down to awareness particularly in the security world. So you've -- you've brought up compliance as another big issue that you're dealing with. I think that probably a lot of sectors have to deal with customer data, but in our retail and hospitality world that's a huge part of what we do. How can businesses ensure that their AI use and applications respect customer privacy and then also beyond that comply with data protection laws?

Alex Douds: Yeah. So that's a great -- that's a great question. Right? And I think it's one that a lot of organizations we see are still -- you know I hate to use the word struggling, but they're struggling with, Luke. Because it's very difficult. It's going to be very difficult as you integrate, you know, AI into your systems or AI to perform tasks such as -- well, let's take for instance, right, some -- an AI that you're probably and most listeners are probably familiar with. And that's the new chat functions for helping customers. Right? Those are AIs and you know if you don't architect those correctly, you know, you potentially could have those AIs and the AI databases storing customer information. Right? So you -- retailers are really going to have to take a hard look and involve, you know, information security, information security compliance, and the CISO in how they architect those because they're -- you know your average developer is not going to really have a high awareness of customer privacy and data protection laws. So you want to ensure really just like with any other project in any organization that you have information security or that information security function involved. Right? In the development of new AI applications and anything you're using AI for. And then if you, you know -- if you find out, you know, you need to allow some kind of PII send and response like, you know --

Luke Vander Linden: To look at --

Alex Douds: Social Security number. Yeah. Exactly. To look up an account. Can we at least, you know, redact that? Like can you use the last four of your social? Right? So you've really got to pay attention to architecting that AI correctly to make sure that you're not -- you're not collecting too much information. The goal of any retailer, any retailer, anyone in the hospitality industry, should be to collect only the data you need. That's kind of -- that's kind of a given that we've all paid attention to for years and years. But we have to make sure that when we're using AI in any way, shape, or form that we follow that and we don't get kind of wowed by this new technology and the cool things it can do and it's still -- we've still got to comply with compliance requirements and of course you know, like I said, I mean you're -- you know your average developer is not going to really have an in depth knowledge or any knowledge of various compliance requirements, GDPR in Europe. There's numerous different states in the United States that have their own individual compliance requirements now.

Luke Vander Linden: Yep. There's still not a national rule here in the U.S.

Alex Douds: Yeah. Yeah. Exactly right. So, you know, the experts have to be involved. And that's how management really needs to approach that to ensure that they're compliant with AI.

Luke Vander Linden: So now that we've solved AI in this conversation, looking more broadly at regulation since you brought it up, and cybersecurity in general, can you talk about the importance of compliance, regulatory, in shaping cybersecurity practices and then specifically within our retail and hospitality sectors?

Alex Douds: Yeah. So you know I mean retail and hospitality. A lot of compliance needs are driven by PCI, payment card industry, compliance. Right? Granted there's other stuff out there for PII, HIPAA, GDPR, the various state compliance, and things like that, but a lot of the focus the last 5 to 10 years has been on PCI and our retail and hospitality clients and architecting their systems to again reduce the data. Right, Luke? Reduce the data via encryption. Reduce the data via card tokenization which means you're not actually handling credit card numbers. You're just handling a random string of numbers given to you by the processor. That you know -- and so that's been a lot of the focus of a lot of our clients the last 10 years, but you know one thing I -- one thing I read a long time ago and I always like to say is that good compliance is not necessarily good cybersecurity. Right? And what I mean by that -- yeah. What I mean by that for sure is that, you know, I mentioned there's been a lot of focus on PCI. Right? For the last 5 to 10 years. And I'm not saying there's not been focus on compliance requirement, but PCI's been such a big drum beat in how to architect to avoid breaches of PCI. And too much focus on PCI, on that segment of your compliance, you can lose focus on other areas. Right? You can lose focus on your customer's PII. You can lose focus on your employee's critical data and come into a violation of, you know, HIPAA from that perspective. So again, you know, you might, you know -- so when I say good compliance is not necessarily good cybersecurity, it's really about the focus and making sure there's an overarching governance across the entire organization to make sure that, you know, your information security people, your CISOs, that everyone has that kind of overall awareness of what good cybersecurity means and all of the data you have to protect within your organization, not just the credit card data. So again it's really about ensuring and maintaining that focus and making sure that your security people aren't laser focused on one compliance piece.

Luke Vander Linden: Yeah. I mean that -- I mean that's -- that's tough because you have different often competing regulatory frameworks and compliance frameworks to deal with. How can a company and specifically retail and hospitality create efficiency, streamline processes, and cope with those multiple regulatory and compliance frameworks?

Alex Douds: Yeah. No. That's a great question. And you know it's -- it can be tough. Right? Because it -- you know, and RHI's like you have a lot of members of varying size. Right? And if you're smaller or medium sized you may not have the resources to buy, you know, a super fancy tool. Now what we're seeing in our larger clients is the purchase of GRC tools like audit based tools and GRC tools such as on spring, SAP, audit board. There's a lot of players in this industry. Right, Luke? And what those tools allow these organizations to do is to kind of take all these compliance frameworks, HIPAA, PCI, GDPR, state regulatory compliance and privacy requirements, and combined them. And what they do is they use, you know, a tool like the secure control framework or the unified control framework to kind of -- what these control frameworks are doing, I mean they're in the name. Right? Unified control framework. Is they're mapping all these different compliance and security frameworks against each other because a lot of these controls are either identical or very, very similar so you can create this mapping. And that creates, you know -- and what our larger clients are doing is using these mappings and uploading them into these tools and you know they're large clients, right, Luke, so they have a whole compliance function and they have a whole info sec function and they have a CISO which some of your smaller organizations in ISAC may not even have. Right? But they have all that so that's kind of the way they're going. Right? They're using these control frameworks, importing them into GRC tools, and managing them across the whole life cycle from governance to policy and procedure, to audit testing, to validation and kind of maintaining that whole life cycle in there. And that way they can create a ton of efficiencies. Right? From, you know, policy and procedure mapping to evidence gathering for the actual auditors to validate your compliance, etcetera, etcetera. And so that's what we see the larger clients do. What we see the small to medium sized clients do is the best they can. You know, and that's utilizing tools already available. You know, like a Microsoft Excel or you know a Google suite tool to, you know, develop -- develop tracking of their regulatory and compliance frameworks. We work with numerous clients that have used, you know -- you know utilized -- leveraged the capabilities of like a SharePoint that a lot of small and medium sized clients are, you know, already using for whatever. And kind of create that, you know -- there might be only one or two people that are in that compliance or have been assigned that compliance role depending on the size of the client, but we see them trying to do the same thing the best way they can utilizing what they have, utilizing SharePoint to collaborate with others online to upload, you know, some kind of compliance framework that makes sense for their organization. You know, your small or medium sized organizations probably aren't going to have quite as many regulatory compliance needs as your larger -- largest organizations. But they do have some so it does become a little easier for a smaller organization to use kind of already available tools. But there is the realization and the understanding among many of our clients that this is kind of the way to go and this is something that they need. And we do see them building these even with one person teams to kind of help them get through it. And if we don't see them building those or if some of our listeners have never considered this, I highly encourage you to seek out, you know, someone in your organization that has at least some familiarity with compliance requirements and the needs of your organization that can maybe help, you know, build something that will help you get through all your different compliance needs and various audit needs and things like that because we definitely see all companies of all sizes leveraging all kinds of different tools and all kinds of different methodologies, but the point is that they're all trying to do it. Right? They're all trying to do it to help them get through these compliance needs and audit needs.

Luke Vander Linden: Because you have to. Well, this is great. You've given us a lot to think about today. It's very complex, but I guess that's job security. So appreciate you coming out. Alex Douds, VP of cybersecurity services at S3, AKA Specialized Security Services. Thank you very much for joining us and thank you for your support of the RH-ISAC.

Alex Douds: Absolutely. Thank you so much for having me, Luke. It's been a pleasure. Have a wonderful day. [ Music ]

Suzie Squier: Well, today I am joined by not one, but two fabulous RH-ISAC members who have been with us for all of our 10 years and probably and a little bit more because they were there as we were building the then our assist. I'm joined by Diane Brown, the vice president of IT risk management and CISO for Ulta Beauty who's also a member of our board of directors, and Debbie McMahon, CISO for Dillard's. Two fabulous women. And I kind of think probably maybe the only women who are part of the founding group. Or am I missing anybody that you guys can think of?

Debbie McMahon: I think you're spot on on that, Suzie.

Suzie Squier: I think I may have it right. So -- so, you know, this is our little going back 10 years where we were then, what was going on, and I'd love to get each of your thoughts on where you were in your organization as we were coming out of 2013 into 2014 and there's a lot of -- lot of retail in the news. Not all for great reasons. And one thing that has come up in some other conversations is better awareness from the C suite of you and your position. So, Debbie, I'm going to kick it off with you. Do you remember what it was like at Dillard's after news of the breach hit the fan and this was not the first retail breach in the -- you know obviously in the industry. But obviously the largest at the time I think and it definitely made a larger wave than the others have. So what was that like for you at that time?

Debbie McMahon: It was pretty scary. As a matter of fact, my executives were all very tense. We had a lot of strained conversations. And they wanted to ensure that we wouldn't be attacked in the same manner. And of course it took some time to understand exactly what happened there. And it all led up to my very first board presentation a couple of months later.

Suzie Squier: And was your title CISO at the time? Because in other conversations we also had the kind of the rise of that title in the role. Were you -- was that your title back in 2013/14?

Debbie McMahon: No. I was director of information security and once my president introduced me as the CSO I went, "Okay. I will be the CISO." But not physical, thank you very much.

Suzie Squier: Yeah. No. Yeah. That's -- that's a whole other realm. Diane, how about you? What was it like at Ulta Beauty at the time?

Diane Brown: For Ulta Beauty it was actually an amazing time for us because we had just tokenized before holiday that year. And when the -- but it was also an educational time for our leadership and our board because even though we had just gone through this massive project to tokenize everything in our store environment, I don't think that the leadership team understood what that meant. And basically what I was able to say, what is happening out in the retail world we don't have to worry about that anymore. I think that was -- but even after it happened a couple of times they kept saying, "Are you sure? Are you sure?" And I'm like, "Yes. We're sure." I mean we've got this one because it was just, you know, we just happened to pick that year to do it. And it was just very beneficial for us that we had picked it at that time. And so at that time I was a senior architect. I wasn't in the role that I'm in sitting in today. And it was -- I can just remember the emails coming in from all the different -- you know the different board members and the different executives. And like we need to get on a call. We need to figure out. I'm like, "We're good. Just relax. We've got this one." So you can actually sit back, have a nice cup of coffee, and this one we're good with.

Suzie Squier: Yeah. It was a lot. And a lot of folks said that was the first time that maybe they met -- or they may not have met. The CISO came down to their office to talk about these things. I mean it was a really, really -- and Debbie I think you used the right term. It was a very strange time in the industry. And then, you know, let's go back to the beginning when we started at the time. I was with RILA, the Retail Industry Leaders Association. We were pulling information security folks together to have these conversations. And I know some of you guys were -- some of the earliest meetings, some not, you know just depending on schedules. But what is your -- you know, what do you remember most about those gatherings and those conversations when it was the first time a lot of you and your peers got to meet one another? Diane, I'll turn that one over to you first. So do you remember what that was like?

Diane Brown: I remember exactly. I can picture where everybody was sitting in the room and it's like nobody was like sitting like right next to each other. Right? And the conversations were very high level. Like oh. This is a good idea. We need to do this. And everybody was just like, "Okay. Who's going to be first?" And actually, you know, as to your point, you know, we had to figure out how to do it. That was the biggest thing. And then you also had to get buy in from your legal teams and, you know, your leadership that this was going to be okay to do because we really hadn't gotten to that point. It's, you know, we all knew we needed to do it, but it's like how do you do it without giving away too much? You know, it was like you know do I really want to tell them that and I really want to tell them that? And I think, you know, just over the time it just has grown so much. But it was just like we all we trusted each other. It's like but we didn't trust each other. It's like okay. I want to work with you, but you know, you know, how do I know you're not going to go and take what I just said and put it out there on the news somewhere? So.

Suzie Squier: Yeah. Find out. Debbie, how about you?

Debbie McMahon: Yeah. Exact same thing as Diane. The leadership, the executives, of my company were looking forward to retailers getting together and banding together and fighting against it. And my legal department was, "Oh. Absolutely not. You may not." So there was a lot of as Diane says high level conversations trying to get comfortable with each other and yes. It was it took a little bit of time.

Suzie Squier: It was really -- it's really, you know, using new muscles and getting -- you know, getting everybody comfortable with that. And, you know, even -- even when we formed that didn't mean that everybody was jumping in. I mean it was still a lot of like come on. We can do this. And, like you said, it takes a couple of brave souls to really lead in and to do it to get -- you know, to get the momentum going. But it was great. And I think meeting one another and you probably didn't have a lot of you know meetings with other CISOs. Maybe locally or information security leaders at the time. Is that right or did you have some robust, you know, relationships with peers at the time?

Debbie McMahon: Well, I didn't. I was trying to just take care of my own. And, oh, that was -- has been one of the best things is meeting other information security professionals. We're all in the same boat together fighting against the criminals who -- well, we'll get into that later. But yeah. Trying to band together and help each other I think has been very successful.

Diane Brown: And for me, Suzie it was we had like a local Chicago group, but it wasn't retailers. Like there was I think I was like one of the only retailers in there. A lot of legal. A lot of healthcare. But and I know and understand we have similar problems, but you know retailers as we've learned, you know, as we talked about over the last 10 years, we have a lot in common. We have a lot in common. And I think that was the hard part for me is it was nice to talk to them and just hear about it, but it really didn't hit home as to okay. Well, what about I'm having this problem, you know -- a lot of the regulated industries like banking and stuff, they had very tough laws. You know, the rules. You had to do it. You had no choice. But in retail they're like, "Well, you know, we want to make it frictionless for our guests. We don't want to impact people. And we don't want to -- " You know, and that may -- I think that was a big difference versus the regulated environments. And that's where I really, you know, have seen the growth over the last 10 years.

Suzie Squier: Yeah. And it really is -- it is really -- and I don't -- I'm sure the other sectors do this, but because of that the work with the business and walking that line, you know, where you don't have that -- you know of course we have, you know, regulations we have to all abide by, but you know you just don't have that overarching regulatory body. And so that's really saying, "Yes. No. Yes. No." So there's a lot of that conversations you do have to have with your business partners that they didn't have to have. And as we all know also we're -- our resources are a little different than in some other sectors I would say. So that's been notable for you, Debbie, is sharing all of that with your peers.

Debbie McMahon: Yes indeed. It's we've all struggled with getting the buy in from the business owners. We've all struggled with getting the budget. I think and I really hate to say this, but I'm sorry for Target, but it was one of the best things that happened to everyone else because it let everyone know how bad it can get.

Suzie Squier: Yeah. You don't always want to be the one.

Debbie McMahon: The poster child. No. But yeah. Put a face on it and allow an open conversation.

Suzie Squier: Well, yeah. And they have, you know -- talk about someone who has taken that really embraced a leadership role. You know versus a culture that could have shut down and said, "We're not sharing," they've done just the opposite.

Debbie McMahon: Yes. They've been excellent at sharing.

Suzie Squier: Yeah. The leaders and look. Really, you know, one of the strong leaders in the industry to do that.

Diane Brown: Suzie, I think one of the first things -- I think one of the things that came out, you know, for like people like Debbie and myself is the fact that that's the first time after that happened that anybody had ever come up to me and said, "Do you have enough resources and do you have enough money?" I think that is what actually started those conversations because in the past, you know, we were always -- we budged as part of the infrastructure team and they always gave me my little piece of budget. But then there was the first time that I actually was asked do I have enough. And are we have -- do we have enough to make sure that we're protecting us? I think they finally realized just how -- what cybersecurity was I think and cyber incidents were. And I think that was really when it started introducing to more of us that question. I had never had that question until that time.

Suzie Squier: Yeah. And I would imagine that personally you guys have had the growth in your -- obviously in your careers and the row and the paths that you've been able to take because of this opened up. Do you feel that, Debbie?

Debbie McMahon: Oh. Most certainly yes. I get invited more often to the board meetings, to conferences, to many things to meet with peers. It has been explosive.

Suzie Squier: Yeah. It really has. And, Diane, I know your career path has also grown and taken on some great responsibilities because of it as well. Right?

Diane Brown: Right. And then plus, you know, over the 10 years it has just -- what we're responsible for. Before back in the day when, you know, 10 years ago we had 2 on premise systems. Everything was on premise. There wasn't a lot of this cloud that we have today. And therefore your area of responsibility was smaller. But over the last 10 years since this first started the sharing no longer is just about what happens inside your world, but also outside of your world. And I think that is -- I think that might have also been part of the catalyst, Suzie, on how this all exploded because that's when, you know, if you're on your premise and you haven't patched the system that's one thing, but if it's a third party vendor that, you know, over 50% of the retailers are using, all of a sudden everybody's like, "Oh. Has anybody heard? Anybody heard? Anybody know anything about this?" And I think that really helped generate a lot of the conversation.

Suzie Squier: Yeah. And that was one of the things I was going to ask. Like how has -- how have things changed over the year and how have they stayed the same? In one sense, like you said, I mean, you know, HVAC was a vendor. You know, that's you know so that's that problem was there. But I think the magnitude, especially when it's a major player that affects a good portion of a sector or an industry, and that's where the information sharing, you know -- as we've seen over the -- you know, of course even the beginnings of '24 you know with vulnerabilities being, you know, you know, exploited and things like that. So --

Debbie McMahon: What I think perhaps -- I'm sorry. I was just going to say that I think perhaps supply chain attacks continue to be a real fear for me because third party management, I mean you can on board someone and you know what the security is like when they first come on as a vendor. But you don't know from day to day and it's really hard to keep up with understanding what your risk posture is with all these vendors.

Suzie Squier: And you have so many.

Debbie McMahon: Yes.

Suzie Squier: Yeah. And then you have vendors too. You know you have your -- you know, not just your software and suppliers, but you have all of, you know -- all of those as well. Right?

Debbie McMahon: Right.

Suzie Squier: It's I think as we saw in the CISO benchmark, what we've seen in there, it's still I think it's like the number two, you know, threat that keeps all of you folks up at night. That and ransomware.

Diane Brown: And I think the more that we automate everything, especially like with the APIs now, before you know you were sending a flat file, the SFTP or something or you were sharing information in a very controlled manner where you could go back and look at the original data source, but now with APIs and all the integrations we have out there you know data's flying real time. It's -- so I can't go back and look at a file to see, you know, is that data in there. Could that have been? What could have happened? And I think that is where like I said I think Suzie, you know, where we -- the big boom has happened for us as far as that sharing is. Kind of like you all solar winds. That was a big thing. You know, all the people that had solar winds. And how do we -- and that was an amazing time I think within our organization about how people were sharing the -- you know, the IOCs. And how people were giving information to each other and helping people out. And I think that was -- that to me was a huge show of how this organization has grown over the years. 10 years ago we sat there in that room. We would have never thought of letting people know about our IOCs and who's attacking us and all of that. We would have never said, you know -- we didn't feel confident that we wouldn't -- you just didn't have that comfort level yet. But, you know, now that people are it's all open it's no longer just -- I guess it's not your house anymore. You know you're now all sharing this, you know -- this big public internet out there. And I think that's where we realized that you really have to you know partner with each other to help each other out because one, you know, somebody may be getting really hot and heavy and you may not be getting hit yet, but that doesn't mean you're not going to be the next one on the list tomorrow. And if you can get early indicators then you can just protect yourself. You know, you can protect yourself better and quicker. And we are getting to be more proactive than reactive and I think that's one of the biggest benefits of our organization now is we're more on the proactive side. A lot of it was reactive. Go look and see if you had it. But now we can block it before it even gets to us.

Suzie Squier: Yeah. And I'd say log 4J was another one because that was just a whole other level as well. You know, and -- and the sharing, it's really great to see when other people can go like, "Hey, I think we're going down the wrong path. We've been looking at this." And people can pivot quickly and, you know, come to some good answers. And, like you said, see what they can do. So we're -- I think, Diane, you brought up some good things that are different than what it were back in 214. You know, what are other -- what are the other things or what else do you see maybe coming down the pike in the future that, you know, kind of keeps you awake at night now? Is there anything else out there that you're -- that kind of makes you a little nervous? Or just conscious or aware.

Debbie McMahon: I would say and I know the big buzzword is AI and I don't even know or understand how it's going to impact us. I do know that it's something to be cherished and yet something to be feared.

Suzie Squier: Yeah. I agree. I didn't want to bring up the two letters, but I think that is a --

Debbie McMahon: I know. I'm sorry.

Suzie Squier: No. No. I didn't want to bring it up because I -- and now. I'm glad you did because I didn't want to project for you, but I do think that it's I think I agree with you. I think as everyone says it's a dual edge to it.

Debbie McMahon: They keep saying how bad it's okay to impact cybersecurity and I don't think that I've actually seen anything yet, but I know how powerful it is and yes. I'm worried about it.

Suzie Squier: Yeah. And, you know, Debbie, what are you most proud of of being one of our founding companies of the then RSS you know what -- what -- you know, when you think back on it, what is the proudest thing that you have to say about it?

Debbie McMahon: Just the fact that we have come together and we have matured as a group. And being there in the beginning and seeing everyone shuffling around and now everyone is so open it amazes me sometimes the things that -- I love the CISO community where they put out questions and so many people respond and it gives you alternate solutions or thought processes or something that you didn't think well as Diane said I'm not being hit with that now, but I'm probably going to be and so this is a good way to look out for that. So yeah. I'm very proud of the way this organization has matured.

Suzie Squier: Yeah. It's we've got some great people and we're excited to have them. Let's try Diane. You can take us in of what are your proudest moments of being a part and now being a part of the board of the organization? And being, you know, one of our founding member companies.

Diane Brown: So to me I just go quick back. I just step back really quick on the what's changed and what hasn't changed. To me one of the biggest things that hasn't changed yet is still our users are still our biggest challenge. Our end users. And it's just we've done so much as organizations to protect the device, but we still can't protect their text messages on their phones and prevent them from doing things. And to me you know that's still one of the biggest challenges we have. But I think the proudest moment for me, Suzie, in you know -- is the summit that we put on. The summit to me is amazing. It is my favorite event of the year. I love the networking that happens. Your organization that you've put together is full of rock stars. And they just put out these tremendous events. The speakers, the content that you hear, and you know just bringing your teams along with you. And I think that's one thing I'm really proud of is the fact that it's no longer just the CISO showing up. It's the teams are coming. I think this year, you know, we're really trying to make sure that we have a good showing at the -- at, you know -- at the event. And I think to me that is just is showing how much it's grown. And then the other thing is also it's not just me and Debbie anymore the only females that are there. You know, you really you know before it was like you could see it was very hard to pick the females out in the crowd and now they're very -- it's very obvious that women in tech is really growing. You know, as a -- you know, just you know, throughout the retail industry and the security field.

Suzie Squier: Yeah. Yeah. Great messages, Debbie. I'm sure they resonate with you as well as far as just the overall diversity that we're seeing throughout the industry.

Debbie McMahon: Absolutely. And I do love the summit as well. And I'm proud to be able to bring some of my team members and let them get a feel for it because they follow the -- they're in the communities and they follow. And the working groups. I really appreciate the working groups you guys have started up. They've been a great help to us.

Suzie Squier: Oh, that's good. Yeah. It's like I think Rich Augustino [assumed spelling] had the best line a couple years ago. He's like it's like the summit it's like a team meeting. You know, it's like, you know, with all these your colleagues and it's like, you know, you can all rally around some conversation. So it's -- it's a very close knit group. But yeah. We welcome all sorts of, you know, however -- the new folks as well. Love to have them. And I think the size is good. I hope we kind of keep it that way so it doesn't get too big because it gives us a great opportunity to really have those meaningful conversations and things like that. So well listen. Our time is running out. You know I love seeing you two. It's always good to have you whether virtually or in person. And can't wait to see you in person next time we get a chance. Diane, I hope you're -- go ahead, Debbie.

Debbie McMahon: No. I was just going to add one last thing to say that I think the largest part of the success for this organization is you, Suzie. Your energy and enthusiasm. And yes. I really appreciate. And Diane, she's so welcoming and really appreciate her as well.

Suzie Squier: Well, thank you very much. I love our folks. Yeah. Just any final words, Diane, as we head out? But thank you so much for being a part of it.

Diane Brown: Yeah. It's an amazing organization. I agree, Suzie. You make it. You just you are such a delight to work with. And you can raise the enthusiasm in a room so quickly.

Suzie Squier: Well, thank you. And I want anybody listening to know I did not pay them for that endorsement. But thanks so much. I love our members. I love you too. And here's to another 10 years at least of growth and great information sharing. So thank you both for joining me today. I look forward to seeing you soon. [ Music ]

Luke Vander Linden: And here we are with our very own Lee Clark. Welcome back to the podcast, Lee.

Lee Clark: Thank you, Luke. Always delighted to be here.

Luke Vander Linden: And you know what? It feels like we just saw each other. But wait. We did. Two weeks ago in Denver at the summit. It was great to see you in person. Now it's great to see you virtually.

Lee Clark: Yeah. As always, Luke, terrific to see you in person. For our listeners, Luke is even more gentlemanly and charming in person than he is here via the dulcet tones of his voice. Right?

Luke Vander Linden: Right. Yes. What you see is what you get. I am what I am and you are what you are which is wonderful. And not only did we see each other. There are over 400 of our colleagues from around the world in the retail hospitality cybersecurity world which was excellent. Love to hear from your perspective some of the things that stuck out to you.

Lee Clark: Yeah. I know I'm biased. I work here. Right? But I'm not exaggerating when I say this is like the best summit I've been to yet. It's my third summit with the RH-ISAC. And every time I see just they're getting better and better.

Luke Vander Linden: Yeah. It's my third summit as well and I said earlier that there was just something in the air with this one. It seemed electric. A lot going on, and people were very active. So.

Lee Clark: Yeah. One thing that I was particularly thrilled with was we've got a new partnership with SANS. I'm sure we've discussed it on the podcast in the past. And part of that partnership was they did this weird interesting hybrid of a couple of their different open source investigation courses. That was really cool. And they put together basically an introduction to open source analysis. Not just cyber, but across the physical spectrum as well. And they did like a two and a half hour SANS course which normally would, you know, be quite a steep price tag, and you'd have to go to a dedicated event to go to that boot camp and everything. But this was very interesting and it was one of the better attended sessions. We had really technical and really applicable. Right? All actionable information for members. I was thrilled with that session.

Luke Vander Linden: Excellent. And I assume we'll see more out of that partnership at events throughout the year and in coming years which is great.

Lee Clark: Oh yeah. Yeah. We're looking forward to see how this -- how this develops over time and how it can continue to help promo some of their trainings and get access to that for some of our members who maybe wouldn't have had it otherwise. Right? A few other things really stand out. We had a new faces panel. First thing first day. And we had a couple of newbies to the RH-ISAC talk about how our services have sort of impacted their ability to scale their defenses and their ability to expand defenses across the enterprise. It's always great to hear someone say that you're doing a good job. Right? But what was interesting for us was they had specific ways that they were leveraging services and specific ways that they were making our services augment gaps in their own when they were able to make like cases to leadership for great involvement in the community. Something that we're always pushing for here at the RH-ISAC. It's as much community engagement as we can get. The more data our members send to me, the more data I have to make holistic statements about the landscape we'll give back to our members. Right? So there's this -- there's this open reciprocity that creates a better defensive position for some and that panel really helped highlight how that's working for organizations who are coming into the RH-ISAC brand new.

Luke Vander Linden: Excellent. Yeah. That was a great panel. Not all new members. A couple new members. A couple of established members. But folks who were newish to the scene here at the RH-ISAC. And all women, I might add, which is great.

Lee Clark: Yeah. 100%. It's always terrific to see whenever we can get that sort of diverse perspective on our services and security. Right? Then two more I'd like to highlight just really quickly. The first one. This is from our member. This is from our members at Costco. Costco put on a presentation that just blew me and JJ away. For our listeners, JJ, you've heard him on the podcast before. He's my counterpart. He's our principal threat researcher, sort of my technical alter ego. Right? JJ and I for the past couple of years in conjunction with Ian, our integrations engineer, have been developing a threat actor galaxy in the RH-ISAC [inaudible 00:53:02] which you've heard about here on the podcast. And one thing that this presentation from Costco, it was on threat actor baseball cards, they call them. And one thing we immediately realized was man Costco's doing this better than we are. So they take a number of open source and closed source data pools and they create in depth updatable and actionable profiles based on sophisticated threat actors that they leverage across their organization. This is both for investigations and for informing leadership which is the exact goal of the RH-ISAC threat galaxy. And one of the things we were just astounded by was how organized, well presented, and their user interface was so good. So in the future our membership can be on the look out for JJ and I to be working a little bit closer with Costco as we develop the RH-ISAC threat actor galaxy because we discovered our member's doing it better than we can. Right?

Luke Vander Linden: Yeah. Of course. And that's why we exist. I mean we have our own small team of really smart guys on our intel team, but there's 3,500 cybersecurity professionals if you count up all of our members and of course they do things better than we do in many ways, and it's great to be able to find out what they're doing, highlight it, spotlight it, and distribute it and share it with the rest of our membership. It makes -- it makes the entire sector stronger which is awesome.

Lee Clark: Then there's sort of the last one that I'll highlight that I'm allowed to talk about. Right? I'd love to sit here and talk about the dark web working group and all the cool stuff we came up with out of that. Right? But that session was closed door TLP red so I can't -- I can't brag as much as I would like to on our members who helped with that one. But the one I would like to brag on again if I bring up JJ, JJ's been working for the past six months or so to leverage a platform called stairwell for our membership. Right? Stairwell has graciously partnered with us to provide access to their malware analysis platform. Basically operates as a sandbox and a repository for your rules, open source reports, as well as a place to conduct investigations for IOCs and TTPs. Right? They're providing that to our members free of charge. And one thing that JJ's been working really heavily on in the last years, integrating our technical intelligence capabilities with that platform so you get the dual capability at once. You get everything that we've got going on in MISP and all of our analysis that we do there in the technical realm. You've got a lot of mine reporting that's based on open source and sort of qualitative analysis rather than the quantitative and hardcore technical stuff JJ does. And you get the stuff that members are sharing to the stairwell section. Right? So you get all of that in one place. And stairwell did a joint presentation. It was Aaron Mog, their field deployed CISO.

Luke Vander Linden: Who was on the podcast a couple episodes ago.

Lee Clark: Beautiful. So Aaron and JJ did a partnership showing exactly, one, how we're securing that space, two, how we're leveraging it for members and how we envision expanding that over time, and then three, some additional features that they're applying for to demonstrate value for the community. Right? And what I particularly loved about this is it's exactly the way we love to interact with associate members. Right? The entire presentation is just here is the tool. Here's how people are using the tool so far. Here's how we're going to develop the tool for the community. There's no -- there's no sales angle. There's no click here to find out more. It was straight up all about what technical actionable capabilities can you enhance in your investigation by leveraging its partnership between us. And it's one of the reasons why we've been working with stairwell so much.

Luke Vander Linden: Yeah. Stairwell's great, but I mean just to be honest looking at where -- you know, we had an exhibit hall type area. Not your traditional 10 by 10 pipe and drape scenario, but just tables around in the foyer in the area where the conference was. And you got the sense that, you know, between the people who were there representing those associate members and vendors and our core members, which obviously is retail and hospitality, they were just having conversations. There was no sales pitch going on. They were just having collaborative discussions, strategizing on things, having nice relaxed interactions. So it wasn't, you know, a heavy sales event like a lot of these conferences tend to be.

Lee Clark: Yeah. And even expanding beyond that, right, we started this thing. I'm pretty sure it's new. If it's not new, I don't remember it from last year. And that's these critical provider spotlights we're doing where really critical associate member companies, these vendor companies, right, who provide services to our membership, they would get little 10 to 15 minute spots on some of the stages to talk about a capability that they were leveraging for the community or talk about a service offering. And again it's all actionable how this can help you, not come by my booth to get a t-shirt and figure out how I can sell to you. Everything was focused on the content of how it can enhance the ability of our members to do their jobs. Right?

Luke Vander Linden: Right? That's a -- I think we have three critical service providers. Palo Alto. Akamai. And Microsoft. So they were great in supporting the event and just generally around.

Lee Clark: So again I know I've probably done about 15 thank yous in various forms at this point, but since we're in a public podcasting forum I would again just like to say thank you first to our membership who came out as the audience and as many of the presenters and the organizers for this conference and made it a success, our associate member organizations who helped us with sponsorships and helped us out with a number of presentations and organizations, and then my fellow RH-ISAC team members in the events team, membership and marketing team, the research team, and the intel team who all just worked their behinds off 6 AM to midnight every day of the week to make the event what it was. And it's that level of dedication and that level of like communal investment from all these places that makes these events like in my opinion one of the best security events that we have in the field. Right?

Luke Vander Linden: Yeah. That's great, Lee. You couldn't have said it better. I mean that's great. You thanked all the right folks. And you know you pulled out some great sessions and things that happened there and the way it was. But that barely scratches the surface because there was so much more that we can't talk about here in this public forum just given the nature of what we do. So -- so what else is going on in the cybersecurity world that our listeners should know about?

Lee Clark: Sure. So over the course of the last month we've reported a couple of interesting stories that have -- some have been more prominent than others and others we report because they're more focused on our community. Right? So hopefully we start off with one of the more recent ones. Right? We had a mass manipulation campaign going on in GitHub's search functionalities was being used to distribute malware. We report this specifically because any time we find a vulnerability or a campaign specifically targeting GitHub or GitLabs. We report on those immediately because they're so widely used across basically any organization that does any type of development or technical work in the IT space. Right? They're so ubiquitously used. So essentially threat actors were leveraging the search functionalities in GitHub to trick users looking for popular repositories into downloading fake impostor malicious counterparts that were serving malware. This is from a report in Chexmarkx that goes really excellently technically into it. This is an ongoing trend that we're seeing posing a pretty significant threat to the open source ecosystem. By exploiting that search functionality in GitHub and manipulating repository properties, attackers can essentially lure unsuspecting users into downloading and executing malicious code themselves without having to do anything sort of sophisticated. So we put out this report and we put out a number of mitigations including indicators of compromise that we recommend all of our members to check out for that one. Right? Another one I'd like to share. This is from my colleague Bradford, our CTI analyst who we're very glad to have back with us. This one got a lot of public play right up front. Had a lot of hype around it really quickly. It happened I think over a weekend about three weeks ago. And I haven't actually seen much development from it since then. This is on the XZ tools vulnerability. Right? So at the end of March Red Hat warned a lot of their users to immediately stop using any systems that were running Fedora development and experimental versions and XZ because a backdoor was discovered. This is CVE 2024 3094. It was discovered in the latest XZ utils data compression tools. And some of their libraries. They warned all users to immediately discontinue any usage of Fedora 41 and Fedora Rawhide for work and personal use until patches could be released. Right? The reason we report this is because XZ is widely, widely used across a number of organizations. Not maybe as quite as wide as GitHub or GitLabs, right, but still very common use. So we assessed at the time that it -- the CVE, CVE 2024 3094 represented a pretty substantial threat to organizations in the retail and hospitality sector that were unable to patch initially. Now of course a number of remediations have come out for that since then. And I have not actually seen that many severe attacks leveraging this like a lot of the hype would have originally led us to believe. As a matter of fact, some of the larger campaigns leveraging CVEs that we're reported on in recent weeks are going to leverage a lot more of the CVEs that have recently been found in Avanti, big IP, Adobe, and especially Any Desk with a screen connect vulnerability that we've discussed, right, those I'm seeing leveraged a lot more than this one which is interesting because the hype over this was really pretty heavy in the first three or four days after the announcement emerged. Right? And finally what I'd like to highlight is a Sekoia report. Right? They released a new phishing kit analysis for new cut Tycoon which is a multi factor authentication MFA phishing kit that has attacker or adversary in the middle techniques. Right? AITM. It's got stealth capabilities and it has the ability to lower security detection through obfuscation techniques. Right? One of the reasons I mention this one specifically, again we haven't seen it used in any large scale attacks especially targeting retail and hospitality specifically, however AITM phishing kits are over the course of the past two years one of the primary methods that we see members being targeted. Overwhelmingly a major threat members report to us is used by threat actors of AITM phishing kits against them, especially Evilginx, right, is probably the main one. So any time we see a new one come on the market we usually like to report that immediately, get it out to members as quickly as possible because even if we don't see that particular kit, it's good to keep an eye on that ecosystem because it is a threat that our members encounter so often. Right? So they discovered, Sekoia researchers being they -- they discovered this in October of 2023 and they released a really good in depth report on how it works. Their monitoring identified over 1,200 domain names associated with Tycoon 2FA since August of last year. And they released several domains to the public for security awareness. So it's interesting. By tracking bitcoin transactions weight to this group, analysts anticipated that the phishing kit was a significant threat in the market due to publicly available reporting. Right? So one of the ways they tracked how prevalent this is is by looking at actually how much money it's pulling in via bitcoin tracking. Right? Now I mentioned this specifically because our keynote at the summit was a journalist named Andy Greenberg. Our viewers who don't have video, right, won't see that Luke is holding up a copy of "Tracers in the Dark." It's Andy Greenberg's new book. And a big chunk of that book is about the history of cryptocurrency and how cryptocurrency becomes the de facto coin of the realm for cyber criminals because it gets this mystique of being untraceable and anonymous. But I mean, as any cyber threat intelligence professional will tell you, I've helped arrest a number of organizations by tracking their cryptocurrencies.

Luke Vander Linden: It was anonymous and untrackable until all of a sudden it was -- until it wasn't. Right?

Lee Clark: And again I will not apologize for plugging the summit again, but yeah. Another great reason to attend these is Andy gave a tremendous keynote on the cyber threat landscape as it relates to cryptocurrencies which again is a big thing that all of our members are going to experience. Right? Crypto mining and cryptocurrency scams especially.

Luke Vander Linden: And he stayed after his keynote and chatted with our members. What a nice guy as well in addition to being terribly smart.

Lee Clark: It was technically a book signing event. And instead it just kind of turned into like a fireside chat with all like 400 of us for another hour after the end of the keynote.

Luke Vander Linden: It was outstanding. And that was the -- that was the official last event of the summit which was a great way to end it. You know, and I just want to point out as you were talking about some of these more recent threats and things a lot of this information you talked about sharing it with our members, but you also -- you and Bradford and the rest of the team write about it on our blog as well which is publicly available. So if you're in the sector and want more information about any of the things that Lee just talked about, I think there's posts on all of them. or just click on the resources and blog in the navigation.

Lee Clark: And just to build and expand on that, we would be delighted to talk to anybody, members or not, if you have questions about any of that reporting that we do on the blog, if you'd like additional information or to see how it might affect your organization. The intel team would always be delighted to chat with you and you can contact us via the marketing team by the contact forms on our website because, as Luke is fond of saying and absolutely correct in saying, we are the ISAC for the entirety of the retail hospitality and travel industries globally, not just our members.

Luke Vander Linden: Exactly. I love to be quoted, especially to myself. It's great. Lee Clark, great to see you virtually. Great to see you a couple weeks ago in Denver. And I hope to see you again soon. Thanks for joining us and filling our listeners' heads with lots of great intel again.

Lee Clark: My privilege, as always, Luke. Thank you. [ Music ]

Luke Vander Linden: Wow. That was a packed episode. Thank you to our guests Alex Douds with S3, Diane Brown of Ulta Beauty, and Debbie McMahon of Dillard's, and of course our own Suzie Squier and Lee Clark. And, as always, thank you to the production team who have the thankless task of trying to make us sound good. From the RH-ISAC, the one, the only, the superstar, Annie Chambliss. And from N2K Networks, Jennifer Eiben, Tre Hester, and Elliott Peltzman. And thanks to you for tuning in. Stay safe out there. [ Music ]