WEBVTT 00:00:04.900 --> 00:00:08.100 I'm Derek saretzky and I'm here with Brian Wells and Candice 00:00:08.100 --> 00:00:10.900 Samuelson from PPD nice to see you again, 00:00:10.900 --> 00:00:14.100 Brad and Candice and congratulations again to you and the PPD 00:00:14.100 --> 00:00:16.600 team for your cso50 award for 2020. 00:00:17.900 --> 00:00:20.500 Thank you, really appreciate the opportunity. 00:00:21.600 --> 00:00:22.500 Yeah, thanks Derek. 00:00:22.500 --> 00:00:26.000 We're happy to be here and I hope to enjoy our telling our story 00:00:26.000 --> 00:00:26.200 say. 00:00:27.200 --> 00:00:28.800 Yeah, thank you to get started here. 00:00:28.800 --> 00:00:32.000 Can you tell us a bit about PPD along with your rolls there? 00:00:32.900 --> 00:00:38.700 Absolutely PPD is a leading Global Contract research organization 00:00:38.700 --> 00:00:42.400 providing comprehensive integrated drug Development Laboratory 00:00:42.400 --> 00:00:46.100 and lifecycle Management Services, our clients and partners 00:00:46.100 --> 00:00:49.900 include pharmaceutical biotechnology medical-device 00:00:49.900 --> 00:00:52.700 academic and government organizations. 00:00:52.700 --> 00:00:57.800 We have experienced more than 100 countries around the globe. 00:00:57.800 --> 00:01:04.000 We have deep expertise in Medicine Science it and data analytics 00:01:04.000 --> 00:01:08.700 Regulatory Affairs operations and a wide range of specialty 00:01:08.700 --> 00:01:09.500 services. 00:01:10.200 --> 00:01:14.000 Peabody applies Innovative Technologies, therapeutic 00:01:14.000 --> 00:01:17.700 expertise and a firm commitment to Quality to help clients 00:01:17.700 --> 00:01:20.500 and partners been the cost and time of drug development 00:01:20.500 --> 00:01:26.500 to deliver light changing therapies that improve health and wellness 00:01:26.500 --> 00:01:29.700 and I leave I'm executive director of information security 00:01:29.700 --> 00:01:36.600 at PPD it government's got it. 00:01:36.600 --> 00:01:48.700 Thanks. So can you tell us about the project and particularly 00:01:48.700 --> 00:01:50.100 how it's evolved to present day? 00:01:51.900 --> 00:01:57.400 Yes, absolutely. I'm as you can imagine an organization 00:01:57.400 --> 00:02:01.800 such as PPD operating on a global scale in many different 00:02:01.800 --> 00:02:08.900 time zones in many different Regulatory Compliance perspectives 00:02:08.900 --> 00:02:14.800 how we got here was that we have various risk perspectives 00:02:14.800 --> 00:02:19.500 of the technology systems and the data that we process for our 00:02:19.500 --> 00:02:24.400 customers including areas such as information security best 00:02:24.400 --> 00:02:31.200 practices Regulatory Compliance such as the fda's part 11 compliance 00:02:31.200 --> 00:02:38.900 sarbanes-oxley compliance, no data privacy gdpr compliance 00:02:38.900 --> 00:02:45.700 house work contract obligations and adherence to the nist framework 00:02:45.700 --> 00:02:51.500 for those systems that operate in the Federal. 00:02:53.500 --> 00:02:57.300 Our approach was to take these various risk perspectives 00:02:57.300 --> 00:03:01.000 such as information security new vulnerability management 00:03:01.000 --> 00:03:06.800 access management encryption requirements regulatory requirements 00:03:06.800 --> 00:03:13.800 such as in a GXP regulatory AGC pgmp GOP sarbanes-oxley 00:03:13.800 --> 00:03:19.400 compliance controls for systems in Skype for financial 00:03:19.400 --> 00:03:24.700 reporting data protection laws are gdpr the requirement 00:03:24.700 --> 00:03:29.400 to produce a date of protection impact assessment customer 00:03:29.400 --> 00:03:34.900 contractual obligations around privacy security regulatory 00:03:34.900 --> 00:03:40.700 the standards for those systems again, hearing to the nist framework 00:03:40.700 --> 00:03:46.200 for systems that are used to participate in government 00:03:46.200 --> 00:03:49.600 studies taking all of these details. 00:03:49.600 --> 00:03:54.700 We wanted to provide a systematic approach to Assess the rest 00:03:54.700 --> 00:04:01.200 ensure that the controls were applied and then be able to monitor 00:04:01.200 --> 00:04:06.100 the ongoing adherence today's sorry strategy was to develop 00:04:06.100 --> 00:04:10.400 a standard set of control requirements that was enforced 00:04:10.400 --> 00:04:14.100 by policy using these various religious perspectives. 00:04:14.100 --> 00:04:18.400 In order to be able to understand the business impact turn really 00:04:18.400 --> 00:04:23.500 prioritize those critical systems that would identify essentially 00:04:23.500 --> 00:04:28.600 are crown jewels using data classification process seized 00:04:28.600 --> 00:04:33.900 to really again prioritize those systems that are most critical 00:04:33.900 --> 00:04:38.200 and then we wanted to to use those risk perspectives 00:04:38.200 --> 00:04:43.100 to ensure the applicability of the controls were available 00:04:43.100 --> 00:04:48.900 and applying if not what what were the gaps from a risk perspective 00:04:48.900 --> 00:04:53.300 and then utilize these to insert into a center? 00:04:53.500 --> 00:04:58.800 I want to be able to continually report on those gaps. 00:04:58.800 --> 00:05:04.400 We wanted to be able to have a systematic approach to establish 00:05:04.400 --> 00:05:09.500 where there were areas of concern and then uses for a continuous 00:05:09.500 --> 00:05:14.600 review of these risks and the technology systems that process 00:05:14.600 --> 00:05:19.300 this sensitive information without a pass things over the canvas 00:05:19.300 --> 00:05:31.900 strategy of a computer system risk profile. 00:05:31.900 --> 00:05:35.400 And as you can see by looking at this light is a very extensive 00:05:35.400 --> 00:05:39.300 profile. It talks about and gathers information for everything 00:05:39.300 --> 00:05:41.800 from what the business is going to do with that particular 00:05:41.800 --> 00:05:46.200 application with their process around using that is a tux about 00:05:46.200 --> 00:05:49.600 who owns the application from a accountability standpoint. 00:05:49.600 --> 00:05:53.100 We assess what data types are contained within. 00:05:53.500 --> 00:05:59.000 Application what Integrations exists that go in data into or out 00:05:59.000 --> 00:06:02.700 of the system we look at what servers and databases make up the 00:06:02.700 --> 00:06:06.600 delivery that system along with especially especially 00:06:06.600 --> 00:06:10.300 important with Cloud Management Systems today is we want to know 00:06:10.300 --> 00:06:14.000 where their hosted and who's hosting them but we know where 00:06:14.000 --> 00:06:15.500 our data is at any point in time. 00:06:15.500 --> 00:06:20.600 We also have a very extensive portion to assign those security 00:06:20.600 --> 00:06:24.900 controls that Brad mentioned earlier and we identify those 00:06:24.900 --> 00:06:28.900 and which controls are needed based on the data types that exist 00:06:28.900 --> 00:06:31.000 in that system and other various risk factors. 00:06:31.000 --> 00:06:36.500 So it we do a complete assessment is that as we ingest a lot 00:06:36.500 --> 00:06:39.600 of data inform our vulnerability scans and basically the whole 00:06:39.600 --> 00:06:42.800 idea this profile is to bring a lot of information together 00:06:42.800 --> 00:06:44.600 in one place. 00:06:44.600 --> 00:06:48.400 So that is one source of true that we can all look at and 00:06:48.400 --> 00:06:51.300 understand the risks around using a particular system in our 00:06:51.300 --> 00:06:54.500 environment and as you can see in the That's why they're 00:06:54.500 --> 00:06:58.800 we do other Assessments in there regarding gdpr privacy perspective 00:06:58.800 --> 00:07:04.800 Sox compliance GXP regulatory risk assessment, which is GXP stand 00:07:04.800 --> 00:07:07.800 for glp good laboratory practice good clinical practice. 00:07:07.800 --> 00:07:12.100 It basically just says that we are in compliance with our regulatory 00:07:12.100 --> 00:07:13.200 aspects as well. 00:07:13.200 --> 00:07:17.100 So this is a really am I get to the meat of the system 00:07:17.100 --> 00:07:21.300 that we've generated is to have extensive profile and then be 00:07:21.300 --> 00:07:25.300 able to utilize this data in a number of different ways to determine 00:07:25.300 --> 00:07:28.600 what the risks around that system are and what we might need 00:07:28.600 --> 00:07:33.000 to do to mitigate any of those if if need be so happy with 00:07:33.000 --> 00:07:36.300 that. I'll show you a little bit more about how that gets used 00:07:36.300 --> 00:07:38.000 how that data gets used in system. 00:07:38.500 --> 00:07:43.500 So on this next slide we're looking at a slide that is the dashboard 00:07:43.500 --> 00:07:47.700 of what the application manager or anyone else who needs to find 00:07:47.700 --> 00:07:48.500 out about the system. 00:07:48.500 --> 00:07:50.500 This is on the main screen. 00:07:50.500 --> 00:07:52.500 They would see for their system. 00:07:52.500 --> 00:07:55.300 They would be able to determine if they have any particular 00:07:55.300 --> 00:07:57.300 risk, and this is real time. 00:07:57.300 --> 00:08:02.600 So for example, if they're user access review is out of cycling 00:08:02.600 --> 00:08:06.000 they have to get some it's almost do it will turn yellow when 00:08:06.000 --> 00:08:07.800 it is due or post your past. 00:08:07.800 --> 00:08:08.800 It will turn red. 00:08:08.800 --> 00:08:12.500 So that application manager can determine at any given time 00:08:12.500 --> 00:08:16.900 what he needs to do to keep his system in compliance and keep 00:08:16.900 --> 00:08:19.300 the risks down to a minimum for that system. 00:08:19.300 --> 00:08:24.700 We talked about the inherent risk for and a residual risk. 00:08:24.700 --> 00:08:28.900 So we've produced a list of what we believe for our particular 00:08:28.900 --> 00:08:33.100 industry in our type of data where the higher risks are in which 00:08:33.100 --> 00:08:35.300 systems are of a higher risk category, 00:08:35.300 --> 00:08:39.600 and we determine that score based on how Answer questions 00:08:39.600 --> 00:08:43.100 throughout that profile once their inherent risk was calculated. 00:08:43.100 --> 00:08:46.100 We know whether we have a high risk system here a medium risk 00:08:46.100 --> 00:08:51.000 system or low risk, and then as they apply controls which we talked 00:08:51.000 --> 00:08:54.500 about briefly in that controls dashboard as those controls 00:08:54.500 --> 00:08:57.400 are applied their score will Lowe's lower. 00:08:57.400 --> 00:09:00.600 So their residual risk for will lower based on the controls 00:09:00.600 --> 00:09:04.800 and therefore obviously, we hope that all systems end up in the 00:09:04.800 --> 00:09:06.700 low residual risk for that's our goal. 00:09:06.700 --> 00:09:11.500 So that's how we use the data from that very expensive 00:09:11.500 --> 00:09:12.100 profile. 00:09:13.100 --> 00:09:17.000 And then just one other screenshot that you can look at that 00:09:17.000 --> 00:09:20.200 would sort of show how we use that vulnerability data that I was 00:09:20.200 --> 00:09:21.400 talking about earlier as well. 00:09:21.400 --> 00:09:26.700 We do bring in from our scans from all of our servers and systems. 00:09:26.700 --> 00:09:28.500 All of those are abilities that are out there. 00:09:28.500 --> 00:09:31.600 And of course, this is an ever-changing landscape by day. 00:09:31.600 --> 00:09:32.400 Is there a jalapeno? 00:09:32.400 --> 00:09:36.400 So we load that data up and were able to compare it not only 00:09:36.400 --> 00:09:40.400 against the apps that the higher level but it gives every underlined 00:09:40.400 --> 00:09:44.000 server and he just stops attached to me at all levels. 00:09:44.000 --> 00:09:45.700 We can look at this time. 00:09:45.700 --> 00:09:49.100 We have the capability to set one in our system is critical 00:09:49.100 --> 00:09:52.900 if we've got one that's come through as a zero-day vulnerability 00:09:52.900 --> 00:09:54.000 or a critical vulnerability. 00:09:54.000 --> 00:09:57.100 We want to track it see where we have it see how quickly 00:09:57.100 --> 00:09:58.000 we can get it fixed. 00:09:58.000 --> 00:10:01.200 You can see that on the screen the ones highlighted in green 00:10:01.200 --> 00:10:04.900 or vulnerabilities that we tagged is critical in the past that 00:10:04.900 --> 00:10:08.100 have now been fixed and you'll see some new ones that have just 00:10:08.100 --> 00:10:09.100 come in in February. 00:10:09.100 --> 00:10:10.800 This is a recent Sprint Print Screen. 00:10:13.000 --> 00:10:16.100 February in obviously some of those are still active at this 00:10:16.100 --> 00:10:18.700 point, but we know very clearly where they are and what we need 00:10:18.700 --> 00:10:23.500 to be working on and then finally just a little bit of value 00:10:23.500 --> 00:10:28.000 form the system if it is if you start to think about it is 00:10:28.000 --> 00:10:31.500 it's really become one source of Truth for our systems each 00:10:31.500 --> 00:10:36.300 and every system we operate and we have hundreds will have a profile 00:10:36.300 --> 00:10:38.700 built for them that identifies all of this information 00:10:38.700 --> 00:10:44.000 that's very useful for looking at a lot of aspects of those 00:10:44.000 --> 00:10:45.500 systems and what we need to do with them. 00:10:45.500 --> 00:10:49.900 It's certainly improved our security posture so we can tell 00:10:49.900 --> 00:10:51.300 that that's been a big value. 00:10:51.300 --> 00:10:55.400 The centralized wrist register is a great opportunity 00:10:55.400 --> 00:10:58.900 to have everything in one place and understand the risks that 00:10:58.900 --> 00:11:03.900 we we have and need to work on our way to get help improve 00:11:03.900 --> 00:11:05.000 our gdpr compliance. 00:11:05.000 --> 00:11:11.600 We've got the ability now to do I date in which is value. 00:11:12.300 --> 00:11:14.800 We improved our audit an infection performance. 00:11:14.800 --> 00:11:17.500 I mean having all this information in one place and available 00:11:17.500 --> 00:11:22.200 and readily have the answers when we walk into a client audit 00:11:22.200 --> 00:11:26.900 has been a tremendous effect as well provides greater visibility 00:11:26.900 --> 00:11:32.100 and that's visibility into all levels of that system and what 00:11:32.100 --> 00:11:33.600 it has the Integrations. 00:11:33.600 --> 00:11:38.500 It's got going the big one in and out a lot more visibility 00:11:38.500 --> 00:11:38.800 there. 00:11:39.900 --> 00:11:42.700 It also allows us to do impact assessment capabilities 00:11:42.700 --> 00:11:45.300 and I would say this is probably the one thing that we really 00:11:45.300 --> 00:11:49.600 seen the most value in because now if we have a problem with 00:11:49.600 --> 00:11:53.200 the system somewhere or let's say and you serious vulnerability 00:11:53.200 --> 00:11:54.900 comes out in the back. 00:11:54.900 --> 00:11:58.600 We've been told this is now being exploited we can go in and 00:11:58.600 --> 00:12:02.400 look for any system that has that particular potential 00:12:02.400 --> 00:12:06.400 ability. We are able to react fairly quickly to that example 00:12:06.400 --> 00:12:11.000 of one of our in the cloud vendors has a breach at their site 00:12:11.000 --> 00:12:12.500 we can then come back here. 00:12:12.500 --> 00:12:16.100 We can see exactly what systems what studies what clients 00:12:16.100 --> 00:12:20.500 we might have our data for in that particular with that particular 00:12:20.500 --> 00:12:23.800 vendor. So again, all of the impact assessment capabilities 00:12:23.800 --> 00:12:31.800 yet Fire and Ice I was 27001 certification. 00:12:40.900 --> 00:12:45.200 Well, thank you Candice and Brad for that overview naturally 00:12:45.200 --> 00:12:46.300 have some questions for you. 00:12:46.300 --> 00:12:49.600 So Candice all star with you first organizations. 00:12:49.600 --> 00:12:52.500 They traditionally face challenges when they don't integrate 00:12:52.500 --> 00:12:55.500 security and compliance at the beginning of a transformation 00:12:55.500 --> 00:12:57.600 and then they try to attach it later. 00:12:57.600 --> 00:13:01.400 So how did PPD address those kinds of challenges for this project? 00:13:01.400 --> 00:13:06.800 You can see in the information on the sides. 00:13:06.800 --> 00:13:10.600 The Genesis was really be on this is how we can about was two 00:13:10.600 --> 00:13:14.000 to really get to that point where we were looking at security 00:13:14.000 --> 00:13:17.700 at the front end because as you said it is much easier to do 00:13:17.700 --> 00:13:19.000 than to try to add it later. 00:13:19.000 --> 00:13:21.600 We wanted to provide that comprehensive set of requirements 00:13:21.600 --> 00:13:23.600 to those internal teams. 00:13:23.600 --> 00:13:26.400 No matter who they were from the very beginning of their project. 00:13:26.400 --> 00:13:29.600 They could come in and see as they Implement their technology. 00:13:29.600 --> 00:13:31.000 What do I need to do? 00:13:31.000 --> 00:13:32.500 How should I go about it? 00:13:32.500 --> 00:13:35.800 And how do I ensure to keep a hold of compliance risk at a 00:13:35.800 --> 00:13:39.100 minimum? And we also added 00:13:40.900 --> 00:13:45.400 Technical solution review process which goes along with the profile 00:13:45.400 --> 00:13:48.600 where we actually sit down with subject matter experts from 00:13:48.600 --> 00:13:52.400 all aspects of our company on to look through what they're 00:13:52.400 --> 00:13:55.500 planning to deliver here and what the risks are and I think 00:13:55.500 --> 00:13:58.100 that process along with that risk profile has really given 00:13:58.100 --> 00:14:02.600 us that ability to bring Security in as a front and center 00:14:02.600 --> 00:14:08.200 part of delivery study in why is important to put the security 00:14:08.200 --> 00:14:09.900 in at the very beginning of the project. 00:14:09.900 --> 00:14:11.700 So Brown a question for you. 00:14:11.700 --> 00:14:17.400 How about Senior Management questions about a particular 00:14:17.400 --> 00:14:19.100 project? And how did all of that go? 00:14:20.600 --> 00:14:26.600 Thanks, Derek Senior Management at at PPD is is very interested 00:14:26.600 --> 00:14:29.900 in and actually very involved in the information security 00:14:29.900 --> 00:14:34.900 program. Is there were questions from their perspective 00:14:34.900 --> 00:14:36.100 not only about this project. 00:14:36.100 --> 00:14:42.200 But but really how this project and enhance our information 00:14:42.200 --> 00:14:48.300 security program capabilities as we've described through 00:14:48.300 --> 00:14:49.400 throughout this presentation. 00:14:49.400 --> 00:14:56.000 It really is about managing the risk understanding the 00:14:56.000 --> 00:15:01.000 rest understanding where they dress are in an even understanding 00:15:01.000 --> 00:15:06.000 where those most critical components are located where it where 00:15:06.000 --> 00:15:11.000 are the crown jewels of the organization being able to use a systematic 00:15:11.000 --> 00:15:11.300 approach. 00:15:12.500 --> 00:15:18.200 To identify the most critical systems monitor the critical 00:15:18.200 --> 00:15:23.600 security controls of those systems where there may be gaps and 00:15:23.600 --> 00:15:27.900 Senior Management really wants that high level of you and this 00:15:27.900 --> 00:15:33.600 this project and this systematic approach using policy process 00:15:33.600 --> 00:15:39.900 and Technology to accomplish that was was critical to the success 00:15:39.900 --> 00:15:48.800 of this project and to our information security program is did 00:15:48.800 --> 00:15:52.200 you and the team learn along the way with a project is ambitious 00:15:52.200 --> 00:15:52.800 as this one? 00:15:54.500 --> 00:15:56.600 Well, there were there were plenty of those lessons. 00:15:56.600 --> 00:15:57.500 That's for sure. 00:15:57.500 --> 00:15:59.300 It would any project. 00:15:59.300 --> 00:16:02.100 I think the most important thing is to identify your stakeholder 00:16:02.100 --> 00:16:04.900 group and be sure you involve them from the beginning and that 00:16:04.900 --> 00:16:06.500 was clearly a big piece of this one. 00:16:06.500 --> 00:16:09.700 I mean with this project we had a variety of expertise 00:16:09.700 --> 00:16:12.800 that we needed which really came from across the organization 00:16:12.800 --> 00:16:16.500 from our legal department data privacy internal audit quality 00:16:16.500 --> 00:16:19.800 records management, you know the application of a search warrant 00:16:19.800 --> 00:16:22.800 database management, of course for sure and oh, 00:16:22.800 --> 00:16:26.300 yeah, the information security team Brad's team was very instrumental 00:16:26.300 --> 00:16:29.800 obviously and driving is along with my it governor's name. 00:16:29.800 --> 00:16:33.500 So really just having that joint vision of where we wanted 00:16:33.500 --> 00:16:37.500 to be what our goals were and we all knew what that success 00:16:37.500 --> 00:16:40.500 was going to hopefully look like I just allowed us to work together 00:16:40.500 --> 00:16:43.600 and I think it's it was a valuable lesson and how to bring 00:16:43.600 --> 00:16:47.100 a group of a wide variety group together for a successful. 00:16:48.300 --> 00:16:52.400 Yeah, sounds like a fantastic outcome from devolving so many 00:16:52.400 --> 00:16:54.200 stakeholders and constituents. 00:17:00.600 --> 00:17:05.400 A great question and as you can imagine it's really just simply 00:17:05.400 --> 00:17:10.100 not becoming complacent, you know, you know you taking some 00:17:10.100 --> 00:17:13.500 of these lessons and some of this capability that we develop 00:17:13.500 --> 00:17:18.100 not only through through this project and the systematic 00:17:18.100 --> 00:17:24.900 approach. So continue to the to understand where our threats 00:17:24.900 --> 00:17:29.500 are how we can use some of the the information provided 00:17:29.500 --> 00:17:34.500 with this system to improve our capabilities certainly 00:17:34.500 --> 00:17:39.200 looking at a community approach to defend against adversaries 00:17:39.200 --> 00:17:43.700 of your organization such as ourselves Community approach 00:17:43.700 --> 00:17:52.100 has such as intelligence information that is aspartame 00:17:52.100 --> 00:18:00.100 free organizations such as at pushing employees educating 00:18:00.100 --> 00:18:00.300 them. 00:18:01.200 --> 00:18:07.500 All the threats to information that these adversaries 00:18:07.500 --> 00:18:13.200 are really after and also maintaining a healthy balance of being 00:18:13.200 --> 00:18:19.000 proactive would security but also being able to respond when 00:18:19.000 --> 00:18:25.000 incidents occur being able to know the information from the system 00:18:25.000 --> 00:18:30.900 to quickly understand the impact of such an incident it really 00:18:30.900 --> 00:18:34.500 is that that healthy balance being proactive but being able 00:18:34.500 --> 00:18:38.100 to respond creating muscle memory by 2 p.m. 00:18:38.100 --> 00:18:45.200 Tabletop exercises based on certain attack scenarios in order 00:18:45.200 --> 00:18:51.100 to to drive a better response to an Ensign got it. 00:18:51.100 --> 00:18:54.600 Thanks Brad. So one final question here in this one's for you 00:18:54.600 --> 00:18:57.900 Candice. What did the organization learn from 20/20 that's 00:18:57.900 --> 00:19:01.000 helped to create more business resilience and security. 00:19:01.200 --> 00:19:03.300 When you organization into the future now. 00:19:04.600 --> 00:19:08.500 Well as I'm sure everyone can relate 20/20 was certainly 00:19:08.500 --> 00:19:12.100 challenging year, and I think people do you like most companies 00:19:12.100 --> 00:19:15.400 is really pivot anymore to using a global remote Workforce. 00:19:15.400 --> 00:19:19.400 Certainly that brings about additional security challenges 00:19:19.400 --> 00:19:20.800 lots more in points. 00:19:20.800 --> 00:19:24.500 If you will to protect and we continue to do that and shift, 00:19:24.500 --> 00:19:27.500 Arkansas, and we're consuming more cloud services and obviously 00:19:27.500 --> 00:19:29.500 dad brings about its challenges. 00:19:29.500 --> 00:19:33.100 So this project is really kind of put us in a position to help 00:19:33.100 --> 00:19:37.200 manage that third-party strategy and ensure really strong 00:19:37.200 --> 00:19:40.900 Cloud government. So I think as we head into 21, 00:19:40.900 --> 00:19:44.500 we're looking forward to using this information to keep us in 00:19:44.500 --> 00:19:47.600 a good place for sounds like a lot of good Lessons Learned 00:19:47.600 --> 00:19:50.200 there that you can address proactively. 00:19:50.200 --> 00:19:52.900 So Brad and Candice, it's been a pleasure and thank you for joining 00:19:52.900 --> 00:19:56.600 us today to talk about tpd's award-winning security project. 00:19:57.500 --> 00:20:01.600 Thanks, Derek to you and idg organization. 00:20:01.600 --> 00:20:02.700 It really has been a great experience. 00:20:04.300 --> 00:20:06.000 Yes, thanks Derek for having us today, 00:20:06.000 --> 00:20:08.500 of course into our audience. 00:20:08.500 --> 00:20:10.200 Thanks to you too for joining us.