Today on 60 talk were speaking about security and how to manage and Lead Security in 2023. We're speaking with Kurt John, who is the chief security officer of the Expedia group and my esteemed guest co-host is Q Harrison Terry. Who is the head of growth marketing for the Mark Cuban companies. Gentlemen, welcome Um, Kurt, tell us about Expedia group and tell us about your mom. I am chief security officer for Expedia Group which means I'm responsible for physical security.
It security or cyber security as well as privacy and Q. Harrison Terry. Welcome back. I love when you're the co-host and I'm just thrilled to welcome you back. So, tell us about what you do and the Mark Cuban companies. I'm the head of growth marketing at Mark, you Companies, as you've already stated empathy to be back on cxo talk, and really, looking forward to the upcoming conversation with Kurt. I'm excited for this combo because we have to talk about security, right?
Mike, Kurt, what do you see as the security landscape right now, with all of all of that complexity? One of the things that I think a lot of companies are struggling with and what the threat landscape. Looks like it's it's the scale you and I like the word, you just use complexity, just the size scale. Gail. And with that comes the complexity of environments. There's Cloud, there's Edge Computing, these artificial intelligence is automation is
orchestration. There's an and was funny about it is that not only are we transforming our business models and our ability to drive impact in the market. But also the bad guys are as well. They have the same types of structures, the same joint ventures the same type of, you know, collaborations that that they're doing to try to drive their side and make money for themselves. And then we are trying to not We Implement new business models to drive more impact in the market.
But we also have to then defend against adversaries, who are doing something similar. So I would say, the biggest challenge is that size and scale and complexity but having said that there are probably a couple of things you can organize yourselves around when it comes to actual technical threats.
And there, it's a lot to do with your endpoint devices to computers were all using it has to do with Cloud because we're all using It for a subset of the population of companies that has to do with Edge Computing as well. And then finally artificial intelligence ensuring that when we build those data models and we try to scale them, things can
go bad really quickly. So both from a security perspective as well as from an Ethics perspective, paying attention to artificial intelligence is really important Kurt when your Expedia like there's tons of people in the world that are out there and they do like the chief security officer role. But at a travel company, what does that, what does that entail? It's about our Travellers, right? Because that's fundamentally. That's what we're trying to do.
We're trying to connect our Travelers with new experiences around the globe, and in order to do that, we need to serve them up with new capabilities, new ways for them to engage in plan, their trip. And, and so we organized ourselves around our Travelers partners and, of course, our employees. So a lot of the decisions we make and the questions, we ask ourselves and answers, we kind of we tend to give ourselves is around Travelers partners and
employees. Now, fun fact, about expedient, a lot of people didn't don't know this, there's the expedia.com but Expedia group is also owns a lot of other brands as well. And it was interesting. I was talking to a friend of mine and I was saying, hey look, I'm gonna go work with Expedia now and they were like, wow Expedia, you know, experience pretty good. Good. But, you know, who's even better orbitz.com. You should probably look into that. And I said, okay, I think I
will. But at that time, obviously, I knew, but, you know, orbitz.com Travelocity.com, hotels.com, verbal your the list car rentals.com the list goes on. So fun fact, is we drive value in the market through a lot of different brands. How do you think about security across this very broad landscape of different companies?
It's different well-known Brands, the necessity to share information because it we've gotten to the point now where you're unable to accomplish, whatever it is you need to do on your own right unless you're building a very specific widget, Hardware, widget at that than other people are consuming. And even then you need someone to provide steel or some other type of raw material. You need an ecosystem of Partners in order to be successful and so fundamentally
I look at it in two ways. The first First is how do you work with your partners to drive security consistently throughout your entire ecosystem? And so that means that it obviously everyone doesn't need to meet this incredibly High bar but what's like the threshold of which you want to collaborate with your partners to really Implement security across your
entire value chain? So that everyone is strong and because, you know, of course, the weakest link analogy, that's that's the one side on the other side for me. So threatened And the ability to share data rights because then some folks within your ecosystem might be experiencing certain attacks and then the question then becomes how well can you
all share information together? So that you can insulate yourself or try to Pivot to prevent such an attack and iPhone incredible uplifted value in both partnering with your with your ecosystem, as well as sharing information with your ecosystem. I think that's really the future. Even even, you know, the federal government, the US Government from sisya as well as the office of Director of National of cybersecurity says the same
thing. In other words, to to beat all of us, you probably need to be one of us, but then the flip side of that is to beat, you know, to be one of us. You have to beat all of us very convoluted but essentially what that means is if we all cooperate and share information and and just ensure that there's consistency, it controls through it or ecosystems. I think the US economy Broadly as well as our own individual companies would benefit quite a
bit. How does Expedia think about like internally that decision support system that you're describing because it's like, you know, to work across, just the organization, everybody has their directives and goals, but in order to reach that alignment, you really do need to be able to frame or lean into some type of support network and more so specifically around decisions because I imagine When you're dealing with security threats and, and things of that
nature, your you don't have a lot of time. This is not something where hey, let's come back to it next week or next month, or next quarter, this is not specific to Expedia. This is actually could be applied to any company and it didn't apply to the companies I've been with before and and anyone can adopt this fundamentally you're looking at
two things. I think, oftentimes people don't take enough time to actually build out that structure that you just It's very much ad hoc and you want to move from ad hoc to optimized as quickly as you can. What that means is I consistency a processes. So, a right. What is that your governance structure look like, be? How do you evaluate risk right within that organization and you need a repeatable way to do that? See, do you know your risk appetite? This is very interesting.
I've been at companies before and this is not Expedia with many many years ago I was a consultant and I've seen companies where Are they think they have a very conservative risk appetite. But when you look at, actually, the way that they're making decisions in the type of the things are going after. It's very much contradictory to have a very aggressive risk appetite and thing that emerges because people aren't our organizations are intentional about defining what your risk appetite is.
It conservative aggressive or somewhere in between. What do you sort of rally around? What do you more comfortable with the risk on versus not? So that goes back to His appetite. And then finally you likely need within your structure, a way to make decisions really quickly like you alluded to and that means that you likely need to assign certain decisions for certain risk threshold. So for low medium high, so obviously, a higher critical risk.
Might go to the CEO but if there's, there's something of a lower risk that might be made with at the director level or below. Right. So really, it's I think what that comes down to is more intentionality or Overall around your risk program and I think not enough companies treated that way. Be sure to subscribe to our newsletter. Hit the Subscribe button at the top of our website.
We have a really interesting question from our Salon Con on Twitter Our Salon always asks these great questions. And he says when technology is everywhere and with everyone what do you find Define as the boundaries of Of your ecosystem. Definitely today, the boundary of your ecosystem. Not only has it moved backwards from sort of like, your corporate network, but it's become incredibly more porous as
well. So, a lot of a lot of holes in it. And so, the way I think of it is that you don't Define that boundary, which is and within the security Community, you're going to find some people might roll their eyes at this but zero trust, right? For the bear with me for the time being is Been thrown around quite a bit in the media and companies are kind of like weird 20, trust Mecca but zero trust still the tenets of it remains
true. So in other words, how do you create an ecosystem within your environment that allows the the appropriate access of your partners and and and your employees? Wherever they may be in a way that doesn't require you to give card launch access to everything. So, my fundamental tenant on this topic is I have Boundary and even if I did, it would be incredibly porous. So, how do I better manage access at the software level and at zero trust is a big, a big
aspect of that? What concerns have you seen on the Privacy side? Due to that, the biggest concern with this new setup is data sprawl, and that comes from three reasons, a, the velocity that comes with the velocity and scalability that comes with Cloud, right? So you can swipe a credit card and then When you're just Off to the Races, right? You have a Dev environment. You have a pipeline, you can build something in a minimal
viable product. You're putting data in there, then someone's like, oh, that's interesting data. Let me make a copy of it and just it's very hard to get started and then sorry, it's very easy to get started and very hard to contain. So data sprawl is one. The second has to be my opinion. The ever-evolving privacy. Gdpr did a really good job of Landing. This very specific list of things that people need to do.
But for example, in the u.s., you know, different states are still thinking through how to handle privacy differently. And that means, you know, if you're in the US or you're doing business in the US, then you need to potentially be paying attention to 50 different privacy regulations. Luckily, if in them, for the most part, there's there's there's sort of like a Common Thread throughout them but you
can't. Deny that the complexity of having to do one officer nuances based on this on a particular State. And I think those are the two biggest things in the first case, you just need to be really intentional about having a specific. And the first case, meaning data sprawl very intentional about having a very specific privacy strategy. But it can't be an isolation. There's a lot of convergence between privacy and security and so you need both an individual
privacy strategy. But you also Need a joint strategy when it comes to your data and your just your General Corporate information protection in the second case one would hope. And I've seen some indications of this that we're thinking of an updated Federal Privacy Law which would which would then make companies lives a lot
easier. Now we have another question from Chris Peterson and he says to what extent can security organizations be a Get differentiator for their company by saying, well, you know, we offer better security better privacy to the customers that they serve. One of the things that security typically struggles with generally as an industry is articulating, its value ride, because our value is derived by the lack of incidents or the lack of breaches and it's very hard to prove a negative.
So I've seen more and more and I tend to call these Business value metrics. So there's like, operational metrics that you need to drive down. Vulnerabilities, you need to drive down risk. You need to articulate risk. Clearly, and so on. Those are sort of operational risk, metrics, business, value metrics are how those activities deliver value to the business. A good example of that is let's say for my for my more security Savvy, folks, ISO 27001, for those who don't know.
It's a, it's a and this ties directly to Chris's question. It is. Is a certification by a standards body that you can obtain as an organization. And it essentially says that you have are doing a really good job of when it comes to the governance of security within your organization that is a to me and an excellent example of moving from, not just driving down risk, which it does right?
Because it means you've put certain things in place to make sure you have a healthy security program, but then it also becomes a business value metric. Why? Because your partner's if Want to sign a deal with, you might ask you look, security is really important for us. It could derail our operations. How seriously are you taking it? And then you hand them that certification.
And it's not the end, all be all, but it's a significant step in the right direction to, to showing that you have differentiated yourself in the market. That's a really easy example, I think, more and more. As you move down the tech stack, or you get to more technical outcomes of security. I think you're going to see those also be start to get elected in the market as well.
So I'm actually pretty excited about this because it solves an age-old problem, which is a the CEO and and csos in years past spoke, different languages, one very technical one very business Centric. But be whenever the CEO, or those, or whomever, the board might ask. Well, how are we doing? And like, and well, we're doing great. No, breaches. Well, if no breaches, do you still really need all that money, right? And so that's a, that's a tough, tough. Obviously, it should add.
So now, with this business value metrics, it makes it an easier conversation when you're building the vision of like an environment, where there aren't many incidents, there has to be threat vectors or things that you find prop of like prevalent and they have different effects on how you set up the not only your internal or but even how you communicate, the value of the system's you've put in place because you're those are top of
mind to you. So Are there specific like computer and Students that we that you find right now very forthcoming or eye-catching. I Rely a lot on my threat Intel team to kind of show what the general threat landscape looks like and how that what that means.
For example, for Expedia the other to your point is if there are incidents that my security operations team are mitigating or preventing from going live in the environment and blowing something up. Then, I would also raise those in Hey, look, within the last 30 days. Here's the incidents that that we prevented the.
But when I say this really quickly, but to get to the Crux of your question is the way I handle that now is I make an incredibly tight correlation between what my team is focused on and business outcomes. So let's say, for example, a company is focused on building a stronger Partnerships with third parties and trying to drive more on. Automation there, then all of a sudden apis.
And you know, Edge Computing is really important to drive that type of business efficiency that my program needs to Pivot as well. Why? Because that's a business strategy, that's critical for success. And so my program needs to also pivot with that. So, in that environment, just given that your e-commerce company and there's tons of e-commerce, companies out here dealing with this similar issue. How do you think about fraud and is that a part of the threat?
Dear that you are responsible for or is that something where you have to work? Very closely with like an internal business unit. There's some fraud that starts from a security incident. There's some fraud that starts with this configuration with some might argue, is still looking at a security incident. There's some that might start from a privacy incident, which again, some might argue the same but it's a little bit different. And so what it comes down to is
a lot of heavy partnership. I have found throughout at least three to four functions Generally within the industry and typically you see skill sets across those. So the best way to think of it is a value chain and I think of most processes and outcomes as a value chain. So if as an organization for anyone that's listening, you want to make sure you handle fraud really well then what, what are the what's the outcome you're looking for?
What steps do you need to make happen and then focus on? Driving that process regardless of where they may sit within the organization, then there's always opportunities for to optimize and shift things around. But what you want is the type of environment where you can get an outcome file them at find the milestones, and then drive horizontally across the various business units, when you think
about the government, right? So the government has this role where they're dealing, obviously with some of the Bad actors at the highest level in the space. But you're seeing so many Edge use cases. Just palpable Or night because you're responsible for this fraud thing, what, what would a better like, what would have better corporate government Alliance on the fraud protection? Specifically look like in your eyes.
If you're not familiar with it, I Sachs its information sharing and Analysis centers, and there are a bunch of different types. There's like the retail and Hospitality, there's the financial. There's like electric. These are all intended to be like sector-specific and or sector. As if it groups of companies that focus on specific threats and then share information about it. And what's interesting about your question is that I would argue and maybe it's more.
So in the e-commerce / consumer side of things, but I would argue most businesses are subject to fraud, right? Particular if you have weak controls. So maybe a better way that that comes to mind. I have never thought about this before. So it's a really good question is, do we need to start thinking? Thinking about these topics specific risk, that are plaguing that are running, horizontally across multiple sectors, and quite frankly plaguing a lot of companies and sectors. So so too.
So to answer your question, is, maybe it's a, some type of information, sharing type situation for the specifically for fraud and Wayne Anderson who's another regular listener. That also asks these great questions, he has two related, Questions he says number one, let me ask you both of these because they're connected. Number one in a consumer ecosystem, where individuals cannot hold a provider
accountable? Contractually what to you is the biggest board motivator for a Security Programs incremental investment. So in other words, what's the argument that you make to boards around the value of security? Because Has us consumers you know when providers go down or release our private information, there's just nothing we can do about it and then he also wants to know in your mind.
How do you group or what are the important metrics that a security team can present to drive board members, and business colleague conversations? So I think, I think to summarize what he's really talking about is how do we get? Boards and Senior Business Leaders Executives to take this seriously when it comes to boards, there are two things. The first is, you need to find a
way to articulate to that board. How security is helping to either protect or enable the journey that the business is on? And so to the best extent possible, you always want to to to articulate your security outcomes. Comes in the context of the business strategy and typically there's an update on the business strategy. During board meetings for Sophia to come either before an hour after and to be able to say well yes, and here's how the steps were taking to help safeguard that strategy.
That's 12. Consumers are also getting very Savvy, and I think boards and just management in general are beginning to realize that especially with the Advent of social media platforms, like Twitter. You know, things can go south really quickly and I think having seen that, I think boards are much more sensitive to how companies are perceived. And so I think the biggest driver, which it should be, as a foundational item is compliance,
right? Are we doing anything that's going to land all of us in like the jailhouse or testifying in front of Congress? No check. Who are we as a company? And are we taking the steps necessary that our consumers? As will continue to perceive us as advocates of their security and or privacy. We are not. And that I think a lot of companies need to ask themselves.
This question then, who are we? As I use the term individual because I see companies as having unique cultures and personalities and so on. So, bear with me is that use the term individual Loosely are, what type of individual re when it comes to security and privacy? And how willing are affordable willing are really willing to how far are we willing to go? The Third, Is do we even need to be best in class? Or are we are we the type of company that's good at industry standard?
Is It Best in Class has a little bit below, that's a continuous risk conversation that a company needs to have with itself. I don't subscribe to every company needs to be best in class at all times. There's a lot of variables that you need to consider when it comes to your colleagues. It's the same thing just taken down and level, so along with, so the overarching company strategy.
In terms of all Securities, protecting that you then need to have those exact same conversations with your counterparts or other Business Leaders. Here's how we're driving security within your organization is very topic specific when it comes to security you cannot make an even spread except for things like your annual security program you want to create a specific type of you know outcome conversation, whatever you want to call it with specific Business Leaders.
And then the Thing I would say is you need to be very maniacal about feedback. You have an idea of what it is, you want to accomplish your going to try your darndest to connect with the board and other Business Leaders. In a way that you think makes sense, you're going to really push for outcomes that make them successful but you're not always going to get it, right? And so you want to have a sort of a closed feedback loop system where you are constantly getting
feedback, hold of that land. Was it useful, was it not? And so I'm a big proponent of business value. Volumetric, how are we landing and then getting that feedback to try to if you need to Pivot on that business value metric. Then you do I think it's a good answer. There's no when it comes to the board's, there's no quick and dirty response. There's no magic bullet here, right? There's it's a matter of convincing the board that they have to make this investment,
which is obviously tough. Because the investment is like insurance. Send, you know, it's like, gee, why I think we should buy a lot, a lot, a lot, a lot of sure insurance for this risk to get back to what you were saying earlier that main seemed really unlikely completely agree one. And then, one other thing I'll mention is you have to be an incredibly amazing Steward of that money. And what do I mean by that? If you're about to get an investment, you need to do two things.
You need to be very clear and articulate about what value gets delivered when and set milestones for you and your team. So the money just doesn't end up in the ether and then at the end of the year, you kind of like well look at this. And yeah, but we give you like 10 times that like is that all we got for the value.
And then the other is that you just because you're getting an influx of money, doesn't mean that you need, you don't need to be just incredibly practical about cost savings as well. You constantly Want to do that. So if their decisions are tough decisions, you need to make in order to drive more optimization on cost savings. It should not like you need almost see the treat those separately.
So you optimize your constantly, optimize your span regardless, if you're getting an influx of cash or not we have a question from our Salon con again on Twitter who has asks really good. Excellent excellent question. He says this he says gdpr is a good is a good framework and we know that the US US federal government is not is not going to jump quickly on to that level of data privacy. So why don't companies just adopt GDP are themselves as a
standard. The biggest caveat that companies have why they wouldn't just do that is because there would be mostly global companies. I think you'll find if they're either US based companies that primarily operate in Europe or their Europe is European based companies. They'll do that in a heartbeat
right? But if you're looking at more global companies, you're going to find that they may be more hesitant to do so. Because one of the challenges is there ever evolving privacy regulations as you work your way East or West, right? If you're in the US and then not to mention the 50 states as well. For example, I know California, just the cpra organ is looking at one. There's one in Virginia as well. So companies, I think our head Adjutant and what they end up
doing? Is they try to find the common denominator and solve for that until there's a more predictable regulatory environment? So if I think that's maybe, maybe the key takeaway in the absence of a predictable regulatory, environment companies are going to try to do the sort of like the common denominator in order to avoid wasted funds, right? Because you optimize for gdpr, and then a state or two or maybe a federal line in the u.s. comes along and sort of Passes it on its head.
You know, Mike Tyson has a saying, where he says everyone has a plan until they get punched in the face. Exactly. I want to, I want to, I want to own a start to amplify this conversation a bit, right as the chief security officer. You know, you can build a security system as really damn good but there's no system as perfect. And when you do have an intrusion, or you do have something that it goes, Further than you would like, what is what what goes through your
mind. One of the things as a chief security officer, you need to be able to do is to figure out how to fail fast and fail gracefully. Because nothing has used to as you alluded to Q is Pitch. Perfect and something will go wrong and when it does, you don't want to languish and sort of tumble, right? You need to be able to fail and then recover as quickly as
possible. So one of the things that I focus on as well, well and this is not do again, not just for Expedia but just something to do. Well within the industry is you need to constantly be evaluating your ability to fail quickly and and recover quickly. And I think that honestly is the biggest difference between companies that handle a breach, well, and others that don't because you are like if a nation state decides to come after you, it is very little you can do to prevent it.
What what what and I was at a Cecil conference this week. And someone asked the question, do consumers. Really even care anymore, though? That breaches happen and I said, well, okay, we my response was and it was question wasn't for me. I was in an audience member but I kind of spoke up. I said, yes, maybe we are desensitized a bit as consumers, right? Because there are breaches, you know every day you're reading about something different.
But it doesn't mean necessarily That Couldn't that that consumers don't care and The trouble that companies get into has shifted from a breach has happened. That's expected these days to. How does a company respond to that breach, and what is their communication like? And to me, that is also a part of your ability to feel quickly,
fail, gracefully and recover. There's one thing that I will say like, when I worked in security, one of the things that we, we got really good at that, I think helped us out a ton, was the Order and the article post-mortem and one of the things that we did a little bit differently was we always let with the implemented fixes. So, you know, often times you have your postmodern and that's like right after the event you're like, saying, what could we do better?
What could we do wrong? And we LED with the fixes and the solutions, or even, if they were in development, we started there. And then we started to divulge into, you know, what were the mistakes and what can we do to do better moving forward. What is the post-mortem process? Your team look like at the highest level. I would say, it's no different from how it should be done,
right? So the question then becomes for me. So, the fundamental questions I ask is what just happened, and why it happened happened? And even though you might not sorry, not why?
But how, how did it happen? And even if you don't necessarily know completely what who what adversary got access to, what typically, you can get to the how fairly quickly and what you want to start to do, there is try to figure out, are there other areas within your environment that replicate this type of either Miss configuration or vulnerability that you need to start looking at really, really quickly.
It's always putting what happened in context and then symington asleep, obviously need to work on like what was access because then they might be some reporting requirements. But for me it's it's all about figuring out the how so that I can like stem any type of breach of subsequent weeks. I might have And but then after that I need to get into sort of fixing mode really quickly and be able to communicate clearly to the board and others that might need to get that
information. If you could go back in time, let's say you have all the information that you now know. Today, what would your younger self do when you talk about you just got this job, your brand new into the role. Like because that's has its the top of the year. I mean, there's a lot of people that just got new titles titles changed elevated. And they're they're sitting in the hot seat and they haven't gotten punched in the face yet. So what advice would you give to them?
They're probably like four or five things and I hope I can remember them, right? Because the thing about getting into a seat like this, it can be really, really overwhelming, right? There's there's like a gazillion different things happening. Everyone needs your time, it's, you know, especially as a new see. So it's really hard to filter out the signal from the noise.
And so the advice I would have is Make sure your incredibly clear about your objectives and key results and always come back to them, regards to how people randomize you. That's what you're looking to deliver. The second thing is, as a in the security field, there's probably five things. There's there's awareness and training to try to reduce the likelihood that your user
population does something silly. There's endpoint protection just because that's what, you know, most people click on stuff and you just want to make sure and I use the term endpoint Loosely right on. Include servers. There is a vulnerability management right? You want to try to spot and get rid of those wounded as quickly as possible. And then to the extent that you can, there's also zero identity and access management if you can
nail those. For, I think you are in a much much better position than a lot of other organizations, quite frankly. And then you start a build from
there. So Pharaoh, what your foundation Is build some, okay, ours to those and then that is your North Star. You are working on that religiously and let the noise come and go and you just focus on delivering on those Chris Peterson earlier had asked a follow-on question regarding the ecosystem and he says how does Expedia but I'm going to generalize this. How does security and I.T I.T deal with partner issues?
Like when Southwest just Southwest Airlines have their disruptions around Christmas, but to generalize, what do you do? Or what should it should? What should one do when the partners have a security meltdown in the data is leaking and you're involved because of that, what should you do? Hopefully, your left of Boom. This is sort of the industry term for it.
Something happens. And if you are you want to start fostering like, relationships with your key Partners today, share information, share policies. Find out how to get reporting both ways on so on.
So that's what you want to do. Then if it's right of Center and something's already happened, you also want to like truly be a partner lean in with your resources and see and ask how you can have how you can help nothing, both directions, both you As the primary person, maybe there's a third party, but if you are a third party that and there's a primary, you also want to do that because again without all of us, the kind of skin in the game we're not successful, so build strong Partnerships
active Partnerships. Our Salon wants to know what about Ai and the role of AI and security maybe even using AI as an advisor to the Chief Information Security Officer, they came to my attention, that someone's forked chat, And started doing some analysis and some development around that type of capability with security and was interesting because it would do something sort of like reverse engineer. That malware that just came in and put the indicator of
compromise in this system. And so on basically just told it generally what to do and it was able to do all that. So I absolutely think there is a place today and it's going to be even bigger place in the future. For the way AI is going to help abstract a lot of The complexity of security, and allow us to focus on outcomes. Now, some people might hear that and think, well, jobs are going away.
I disagree security is a very complex space and I think what this does is free up. Very limited resources to work on more complex and interesting business problems. We have a really interesting point from carry Sullivan on LinkedIn. And I'm going to ask this one to both of you because this question gets caught between right Square in between you. Off. Okay, she says, great quote. Unquote, growth mindset thinking security is about human behavior as much as it as it is about
having great technology. Getting stuck in the crisis. Letting a breach languish is never the right answer post-mortem and continuous Improvement or as much about improving, the barriers, but also the people reaction and response. And so this is my question to you. Both it's this, this growth mindset with security that as far as I can see drives or its
growth mindset. Within the business that helps create the conditions that drive all the breaches and drive the fact that my personal information is out there on the web. So Q, I Blame You and Curt apologies, but I have to also blame you as representative of your sort of separate breeds of growth mindset, growth growth people Security people. I'm sure you might have seen it but you know, gen Z is very much into this. This this is we all remember growing up with these Kurt, you
remember this phone? I do remember that phone crazy thing is, this is a, this is a BYOD phone that you have to worry about now. No, I'm serious. Like flip phones are back flip side. This is also the same device that you have that, you've got to worry about and you got it in the bad guys. The Bad actors are there on both, and this is actually probably more simple, so it's easier to infiltrate a networking. We oftentimes don't even think about it, and so marketers, we ruin everything.
We always see the emerging Trends and we come in and we just, we, we don't think about privacy. We don't think about, Data. I mean we just use it because we want the look, we want the press and it, oftentimes Falls in your lap on the security side to fix it. But when I think about the people notion, we always, we this is always been true historically like what was old once becomes new, what is new Once becomes old and it's just
fascinating to see. Now in a more connected landscape, how those things can even play into a competitive intelligence, they can play in to threats and And in security risks and vulnerabilities, but it's the way I'm going to pass this back to you. Kurt is how do you think about that? Because AI is cool today, but I remember an era were voice was like all the Rave and I remember an era where blockchain and big data was all the rain.
So there's always a hyped Trend but you are responsible for keeping it all within the same vessel and making sure that engine goes forward, the technology might change, but to the point of the, the person who asked the question, And you can swap out the technology, but he's in essence, what you're looking for from your user communities, the exact same thing. First of all Securities, job 0 S, you know, are they Advocates or champions for security?
And if they're not need to start more in the awareness, training and just engagement level and feedback level to try to drive that culture. But then from my perspective, it also comes down to diversity. And that growth mindset, the growth mindset, speaks for itself. How can Learn evolve, you know, grow in order to be better and respond better to these types of issues.
But then, diversity of my time talking, you know, ethnic cognitive, you know, you name it every type of diversity because one of the things that are pretty and that's pretty interesting about security. It's a very creative field, right? You can like, two people can sit and stare the same thing. And just because you had a spark of inspiration, you can figure out how to solve this issue where someone else might not. And so, yes.
Technical. But it's also, there's a certain level of art to it. And whenever you're in a situation like that, you want the type of team that has very different backgrounds that when they come together, there's greater than the sum of the parts. And so I would say it's a combination of culture which includes that growth mindset as well as diversity. What is the impact that you've seen from the application of it?
Security on the Travel industry at large like so they can before and after and largely because of some of the Season yourself and colleagues and partners have put in place and it has led to you know, new environments for herself. I would say it's the ability to care deeply about your traveler and the experiences they have. I'm part of the that experience is not just being able to see, you know, the Grand Canyon or Christ, the Redeemer statue or whatever else.
It might be. It's them having the confidence in sharing information with you and trusting you that you could. Facilitate this experience in a way that helps them be a better. You know, have a better outlook on life after verses before taking that trip. And so I think it's driving and trying to continue to build a confidence in with our Travelers and our partners. And with that, I'm afraid we're
out of time. So a you thank you to Kurt, John and 2q Harris and Terry thank you both for doing this today. Thank you for having me. Me likewise and a huge. Thank you to our great audience. You guys are so smart. Thanks so much everybody for watching before you go. Be sure to subscribe to our newsletter. Hit the Subscribe button at the top of our website. Then just subscribe to our YouTube channel. Check out cxo talk.com and we will see you again next time. Have a great day everybody.