Transcript
the practitioners building and defending modern data environments. Hi, and hello to the latest episode of Zero Downtime. My name is Shelley Calhoun-Jones and I'm a Technical Marketing Director here at Cohesity. Today, we're joined by Doug Rivers. Doug, would you like to do an introduction? Sure. I am not here in my company capacity. I have a colleague, a past colleague of Shelley, but she, I guess she had brought me on as a security professional. I guess I better earn up to that. I've been well over 25 years in security. I've worked for different companies like Symantec and Sylens and Zemperium. Mainly, I started off as a systems engineer and then I got into technical education and training, but my core has always been security. I recently retired from the military as a reservist. I was deployed to Afghanistan in an information operations capacity. I also serve as a deputy sheriff or a reserve deputy sheriff for the Macomb County Sheriff's Office, where I serve on the cybercrime team and the bicycle team to try to keep myself fit, on the mountain bike team. And I also do, I'm on the board of our local community college, Macomb Community College for IT advisory board. So I live and breathe all this stuff. I know it sounds like a lot of I love me and it's not. I just get bored easily and I like doing a lot of things. Doug is a rock star when it comes to security and we're very happy to have him on our show this week. And that was one of the reasons why we brought you on, Doug, is that we wanted to talk more about cyber resilience from a data perspective. And I can't think of anyone better than you to be on our episode today. So that really leads us into our topic because for a lot of us, we know that cyber resilience is more than just stopping attacks. It's about keeping control when things go wrong and also knowing your data, knowing what you have, where it is, who can access it, because it really does change how security teams detect, respond to and recover from a security incident. When data access and management is handled well, the incident stays contained instead of spreading across the entire organization. And I know that's something that both you and I have had experience with in working in previous roles is that it's really a matter of time, you know, to really get the incident contained and really understand how the threat got into the environment. So yeah, definitely. It's speed, it's the time, it's time to containment, but it's also the preparation. I'm sure we're going to be talking about that too, because, you know, we've gotten to that mindset and it's a correct mindset that it's not necessarily if something's going to happen, it's when and are you prepared for that when. But I think that's made us a little bit more complacent in preparation. It's like, well, hey, if it's going to happen, there's really nothing I can do. And that's just not the attitude to have. Yeah. A lot of security people have a glass half empty type of mindset where, you know, you have to really try to be the optimist, but think of how you can try to also minimize the incident from occurring again. Definitely. So when you hear the term cyber resilience, I know this has been bounced a lot within the security community over the last couple of years. What does it mean to you in relation to security operations, not just in theory, but in real practice? You know, here's what I think about it. And this might not be everybody's cup of tea, but when I think of cyber resilience, I think of a kind of a spectrum process. Right. I don't think, oh, OK, we have this software, we have this tool, we have this person or this group, we have a cyber resilience group. No, it has to be almost a religion. You actually have to live it. It has to be a process. And it goes from what I call information management. Identifying your information. What information is it there? Almost taking a government slash military view of it. This information, if it was compromised or, you know, what kind of damage could that cause? And to actually form some kind of data classification around that. And then you have the OK, then we have the protection mechanisms, the teams that are responsible for securing that data. And then we have the incident response teams. All through that, though, and this is something I would, you know, like to talk about during this podcast, too, is communication. There is really, you know, a lot of people think that communication is a soft skill. A lot of people are just kind of dazzled by the tech and everything like that. But one thing that I see now that I'm getting old and I'm starting to mentor people and I'm starting to serve on, like I said, on this IT advisory board and talk to a lot of different people in the industry from different walks of life, being able to communicate what's going on, what needs to be protected when an incident occurs, what happened without a lot of hyperbole, being able to talk to different types of audiences and be able to scale that back and being able to focus on what needs to be done. That's the overarching thing to me in that whole cyber resilience process. Yeah, no, I like that because you're not getting caught up in all the acronyms and the buzzwords. You're just explaining it succinctly, you know, what's happening, because a lot of times if you're dealing with an outbreak, you could be working with stakeholders that are not technical, but they still need to understand the issue so they can communicate it to the appropriate group groups on their end as well. Exactly. Exactly. I mean, and here's the thing. There's a lot of, you know, there's there's a lot of boogeyman type things out there and there's there's definitely reasons to be, you know, kind of cautious. I think that, you know, the term I've never liked the term hacker. I use the term adversary because hacker could hacker denote somebody, you know, it notes a lot of stuff that from pop culture and Mr. Robot and war games and all that kind of stuff. And that's cool for entertainment value. But there's to me, there's no such things as hackers. There's people with agendas. There's adversaries who are just resourceful. And I've always asserted that there's right now it is a lot easier for anybody to actually engage with, you know, free and open tools, free and open procedures, concepts, websites. I was playing with a flipper zero just recently, and I was amazed how easy it was to clone a card to a door access card. I mean, I didn't you really did not have to. I did not have to have any extensive training to do this. I did it in five minutes. Right. So that kind that's the environment that we're dealing with. We're dealing with an adversarial environment, not a hacker environment. So to bring all that back when you're talking to people and you're talking to executives or you're talking to people who might not have that technical grounding that you might have and all they know is the pop culture stuff out there. You have to be able to let them know about the threat, let them know about the danger, but kind of grounded in reality and kind of grounded in the fact that this is what people are trying to accomplish. This is how accessible I'm not going to say easy, accessible it is for people to attack us. And these are some of the things we can do about it. No, absolutely. You have to assume that your defenses will eventually be bypassed at some point. And not just that, but, you know, think about the business itself. Need to make sure that you're able to continue to make money as an organization, but also ensure that your customers stay safe or their data stay safe within your organization. So that's great. Those are all some really, really good points. And continuity too. I mean, I should have mentioned as part of that whole resilience process continuity, how do you get the business back online? I always tell stories and it's always about me because that's the subject I know best. Just what, a couple of days ago, my main windows creative machine went down. The latest windows update fried it and it said, Hey, it came up with one of those windows 11 black screens that says, Hey, there's nothing we can do. Sad face. I love the little sad face that pops up. But here's the thing. And I'm not saying I'm a genius or anything. I mean, this is just a small example, but I had planned a long time ago. I'd learned about the disposable C drive, which means if your drive goes down or your operation operating system goes down, I want to make it so that I can bring that drive back up. If I have a backup or if I don't have a backup in this particular case, I didn't have a backup without losing data. A lot of my other data was on my home NAS or on another drive or anything like that. My C drive is just used for a lot of, you know, applications that you just download. Now most stuff is cloud based. So I was back up and running after that massive crash in, you know, a couple hours just reloading applications and everything. Now, yeah, that's an individual versus a company, but that just tells you that that's part of that whole, you know, the end point of resilience is what do you do when you get knocked down? You have to get back up. Also, there's different workloads could live in different places. You could have some workloads that are still on prem. Maybe you're working with a legacy application that you really don't have the ability to move into the cloud. You might have to refactor or rebuild or pick a different solution. You could have cloud based applications and you could be working with edge. So all of these different components, it can be really stressful if you are dealing with an active security situation, having the ability to back up and recover from a centralized platform is going to make it a lot easier. And to that point, and to that point, because, you know, I do this, I have an auditing, you know, a little bit of an auditing background, too. Unfortunately, a lot of people don't see the cracks or the things that they should have updated or they should have moved on to or they should have done the application, the thorns in the application until something goes wrong. And it sounds like there's so much to do. I mean, it's like, oh, man, you want me to classify information? You want me to audit our applications and everything? Yeah. Unfortunately, yeah. Because, you know, you got to say, OK, that sounds like a lot of effort. But, you know, if something goes wrong, you know, financial, reputational impact, all kinds of other stuff. This is this is this is a valuable thing. So you have to put into work. It's like going to the gym. You know, you have to put it into work. There's no easy way. There's no easy button. Don't we wish there was an easy button? I wish there was. If you know where that easy button is, please tell me because I want to buy it. That's great. Well, that actually leads me into my next question. How does understanding what data you have, where it lives and who can access it change the way that a security team can respond to incidents? I think you have to have a realistic approach to it. I think that it would be great if we could go back to the old days. And I don't want to show how old I am when you had the mainframes and everything and everything was centralized. And you could say, OK, we can respond to it because everything's in this container. Right. The reality of the situation is you're going to have cloud. You're going to have on prem. Even even drilling down, you're going to have applications within your environment. You might have something and you might be a Google shop or a Microsoft shop and you might have things in Google Drive. You might have things stored on servers. You might have an on prem. I don't even know if Microsoft has on prem exchange servers anymore. They might. So, you know, there's going to be you're going to have confluence. You're going to have your you know, something I'm very familiar with, your learning management systems. There's data everywhere. So and it is in my I hate to say it, but in my experience, it is unreasonable and almost unattainable to say, OK, we're just going to double down and put everything in one place. And maybe you shouldn't because that's a you know, in some ways, maybe that's a single point of failure. But you have different stakeholders, all those different things I mentioned, you have different stakeholders there. Right. So the information management, in my opinion, the information management process is not just knowing where the information is, managing that information and classifying it, but opening up that dialogue with those stakeholders and getting in, making sure from a security perspective, you know, what type of information is there, you know, what the platform is, just getting a little bit more insight. And that will give you a lot more information when you can design or you can actually implement your security plan. Once again, it's communication, that overarching thing. If you're not talking to the stakeholders, you know, if there's some kind of weird marketing system out there that they have a lot of information in and you don't know about it, you know, you don't, you know, there's a there's a gap there. Personally, no. In my current employment, I know the CSO. I've talked to him. I've actually approached him, you know, proactively about and maybe just my background in security about, you know, different products, different things I'm trying. You know, when I chose the LMS, our learning management system, it was another information repository. I worked with him on the security review of that learning management system. So it's that whole thing. So in case something happens and hopefully I'm not jinxing myself, he's familiar with it. Right. It's not it's not bulletproof. It's not ninety nine percent, but 80 percent is better than being zero percent. It's better to know something or at least have an effort into actually knowing where all the information is, having a process, knowing who the people are, establishing that communication than actually having to do it when something happens, because there's all kinds of things going on. Yeah, it drives home the point that security is a shared responsibility. And it's good to it's good to kind of educate yourself as a security practitioner, understanding what the other stakeholders do and factoring in that at the same time, we want to make sure our environment is secure. We also want to make sure that the data is accessible so that we can continue doing our day jobs. That's great that you already have that ongoing relationship with your CISO to make sure that, you know, from an application perspective, that, you know, the applications and the workloads that you're using are secure and that, you know, you're you're checking off all of your boxes from a from a security perspective. Yeah. And, you know, that's and that's not because I'm a smart guy or anything like that. That's because I've either seen or experienced things where I did it wrong or I've seen it done wrong. OK, I am not I am only smart because I know a lot of smart people or I've made a lot of dumb mistakes. That's the way I look. Yep. Be humble and stay humble and enlightened. Exactly. Exactly. Exactly. And so communication, like I said, I can't I can't emphasize that enough. It's not a soft skill. It's great to know all the techie stuff. I love my tech. But at the end of the day, there is a there's a human element behind everything that we do. And we can't get those technical goals done. We can't get those security goals down unless we have that human element in there and that human element is based on communication. Oh, that's great. So in your experience, what points or situations do organizations frequently lose control of their data regardless of the security measures that you may have in place? I think once one of the things that we do is there's there's a couple of things actually now that I think about it. One is the dependency on technology alone to protect you or the dependency on technology, period. We're seeing a really interesting case with A.I. right now where, you know, we're letting A.I. do a lot of things, but we're we're seeing that it has to be supervised. I use the example of if you have a teenager and you're giving your 12 year old or 13 year old the responsibility to cut your grass, cut your lawn for the first time. Right. They can go out there and they can do it, but I'm sure you have a certain way that you want it done. And if you just let them go out there and do it, there's a lot of chances that things can go wrong. So it has to be supervised. Right. So I think that one of the issues out there is dealing with having a super not depending on the tech so much and actually being involved, being engaged in any type of technology you implement that that really impact your security posture. The other thing that I see is a necessary evil is information sharing. We have an ability or we have a thing out there. We have to share information with our partners, with customers, with, you know, between us. We have to share information or make information available. I guess I should say sharing and availability, you know, to employees who are have their own phones. They're walking all over the place and everything like that. That data is everywhere. OK, and it's very hard to control that data in the business that I'm in right now. If you look at if you really think about it, a lot of people don't realize this. You know, everybody has their phone and most organizations don't issue you a phone. Right. They might put some MDM or they might put something on your phone if you let them or if they have that policy. But it's a bring your own device type of thing. Right. And so and the same thing with laptops, everybody, you know, either if you work at home or not, a lot of people have laptops or tablets or something. So you're accessing that information. That information has little legs. It's going all over the place with all those people. Right. So actually, that's another issue of the sharing of information and the availability of information that that box has been open. We can't close that anymore. So being able to provide protections around that to try to lower the risk, you're not going to eliminate the risk, but you can lower the risk, you know, by implementing controls, implementing policies, processes, things like that. Those those are the things that I see are the biggest issues are the kind of the biggest things that you have to really get your arms around if you want to lower the risk of having a security incident. Yeah, I'm just thinking about that. It's been almost 10 years since covid. And I don't think I've had a actual corporate issued phone for a long time, longer than 10 years. I've always had just a personal phone that I've I have my you know, some some of my my email on and my slack. But it's I could see that being very challenging from a IT or security perspective. Right. I guess even your laptops, I mean, even you have a laptop, you're still for the most part, even though, you know, there's certain endpoint stuff is, you know, on traditional endpoints that you might have a little bit more control on it. But at the end of the day, most people are still the administrator of their own devices. Right. And, you know, if you if you look at your phone, how many how many apps do you have on your phone? Do you know? I can't tell you right now. All right. But the app you have on your phone. And here's the thing. And here's another thing you have to consider. How many apps do you have on your phone? And then how many of those apps are related to, you know, what you do for your organization and how many of those apps are like, you know, whatever, you know. Also, how frequently do you upgrade your phone to get a new phone? Exactly. Yeah. Or upgrade or upgrade the apps. So and this all gets back the information, you know, the information is all I could I could I couldn't access information in the military. We saw a really sea change because before everything was tightly controlled before I retired, everything was tightly controlled and you had to be in certain areas to access certain information and everything like that. And classified information is still like that. But even on our, you know, on our own, you know, intranet, so to speak, you couldn't get it wasn't possible to get military email on your bring your own device phone. Right. That's changed because the world has changed. You get, you know, in the Navy, where I came from, when I left, we do virtual desktops now, you know, where you could actually get into your MSCI system and you could actually be like you were actually at the reserve center or you were actually on a military site. That's the way that the world has forced us to go, because you have to have that information availability. If you can't have that information availability or that information sharing, you're going to suffer in productivity, in engagement, in all kinds of areas. So that that presents another issue that, you know, you have to think about, like I said, not doom and gloom and everything. You just have to think about how you can minimize things you can do to minimize those risks. Right. That actually leads me into my next question. In your experience, at what points do organizations most frequently lose control of their data? I feel like we've already touched on this, but do you have any personal examples of organizations that may have lost control of their data, regardless of the security measures that are in place? I'm going to mention something from a long time ago, and I'm not going to mention the who or the what. There was a, there was an organization that I'm aware of, I won't say if I worked for this organization or not, or if I was on the security team for this organization. Whereas once again, it was about a communication thing. There was a server that, that got compromised or it went down. There was a problem with the server. The server was used for some kind of marketing effort or, you know, with a little bit of a financial flair to it. And so when it may have been me, when we investigated where the server was, we found out that it was a server that was run by an executive's nephew out of his dorm room at Michigan state. Okay. And, and, and it was, it was, this was a long time ago. This was a very long time ago. But I, I, I would venture to guess that there are things happening like that right now. So think about what I just told you, Shelly. There was a server that was somewhere else. That was somewhere else. Wasn't controlled. An incident happened and we didn't find out about all this stuff until this incident happened, right? We didn't know the capabilities of the server. We had no communication with the stakeholders who were using the server. We didn't know what kind of software was on the server. He's a smart guy. He knows what he's doing. He's a, he's a computer science major, right? Visibility. This is a whole visibility thing. Something I should have mentioned earlier. Visibility is, is equally as important as communication. So all those things that I talked about, that's, that's a, that, that actually happened, I'm not making that up. And the scary thing is I would suspect that things like that are happening right now, maybe not in that much in your face, but using some kind of application that somebody found, you know, searching some open source repositories that all of a sudden without any type of, of security review or anything like that, you're using it and it becomes an instrumental part of your application or your motion, your operational motion, things like that. I mean, those are, that's happening right now. And I know that the whole security has an inverse relationship with productivity, but you got to put some common sense in there too. There are a lot of things that in my adventures, especially doing technical training and everything like that, it would just be easy just to do this, or it just appears to be easy just to, just to start using this program or just to start doing this or start doing that, or just share this using some kind of unauthorized sharing platform and everything, but it, it wouldn't be right. Right. And if something happens and it comes back on you, what are you going to say? You know, well, it seemed like a good idea at the time. It's not a good excuse. So that, those are, that's, I'm sure I could, if I really thought about it, I could think of some other stupid security tricks, anti-security tricks, but I don't want to embarrass anybody out there. Somebody might see this podcast and say, wait a minute, you shouldn't have said that. So yeah, there's a lot of stuff out there. Yeah. It reminds me of people who create a cloud account and they don't properly harden it. And then suddenly you have EC2 instances that are running Bitcoin mining applications. It happens. Or the person, or the person who is, you know, who's, who's on LinkedIn or he's on social media and they're responsible for some kind of platform and they love like the Detroit Tigers or something. They got Tiger stuff all over the place. And then all of a sudden it's like, Hmm, what's your password, dude? Tigers 84. Yeah. Let's try that. You know, it's that, it's that kind of thing. You know, that people are listening once again, not trying to sound paranoid, but I come from an information operations background. Part of this, I look at this in a different perspective in this, in the whole field of intelligence, Shelley, it's not the big thing. You're not actually going after, you know, man, this is the big thing that I want to get to compromise, or this is the big thing I want to do to get a lot of money, or this is the big thing I want to do. And all this other kinds of stuff. No, it's the little elements. All right. It's doing a little reconnaissance, doing a little surveillance, seeing what's out there, doing the, putting in the work, going out there and then saying, Hey, I can get in here going in low and slow and saying, okay, I'm going to look around here and why not put a Bitcoin miner on these, a couple of these machines and might as well make some money off of it while I'm in here, you know? And it's, it's, it's, it's, it's that nefarious. So it's, you know, it's, it's, it's, I'm not saying all this to once again, to do doom and gloom or anything like that. I'm saying all this to get to hopefully if somebody sees this and listening to all my nonsense here, they get, it makes them think and it gets them encouraged or it gets them riled up to say, yeah, maybe I need to do something about this. Maybe I haven't considered this. Right. So I'm actually trying to provoke an action, trying to provoke behavior. Exactly. Yeah. Cause for, for a lot of folks, they could be looking at a checklist of things they need to do within the environment. Maybe it's from a compliance perspective, but also thinking of thinking that this could help harden the environment from a, from a security perspective. And that actually leads me into my next question. How, how should security leaders approach data management when planning for security, not just for, for compliance? I think that in my, in my mind, we talked about communication. We talked about, I think one of the goals should be visibility. If you don't know what's going on and the adversaries are counting on you, not going, knowing what's going on, that should be a key goal in there, but you have to actually be realistic, right? And this is where it gets a lot of, to me, that's a lot more challenging than being, you know, getting the visibility aspects of it, because there's some technical things that you can do for, for, you know, visibility and all this other kind of stuff, but realistic, what do I mean by realistic? There are certain things that a security professional is going to say we need to do that they're going to get pushback from an executive or a C-level person, maybe their own CISO saying, Hey, we can't do that. We have to come up with something else. So, you know, having that flexibility and knowing that you can't, you know, just saying, okay, I want to protect this machine, just unplug it and put it in a closet, well, that's not going to help us, you know, you can't do that. Okay. That machine has to be plugged in. What can we do with knowing that it has to be plugged in? Unfortunately, we're in a, we're in a business where there's a lot of egos and there are a lot of people who, you know, my way is right and everything like that. And as a society, I think we've lost the ability to compromise and the realities of business is if you're going to be successful, you're going to have to, you know, realize that there's some things that you want to do. There's some things that you're going to be told that you have to do, and you're going to have to try to figure out a way to marry those things together. I know that probably you were expecting a little bit more of a technical answer, but I really think that these, these, these are some fundamental things that a lot of people kind of miss nowadays. You got to protect, you got to kind of really think about the hills that you want to die on and the fights that you want to do. And then you have to look at it in a realistic manner and say, okay, if we can't do that, what can we do? And that's, that's that next step that a lot of people just are either afraid to take, don't want to take because it just, you know, it kind of, you know, no, it's wrong. Well, sometimes, you know, you have to do what you have to do. Now, I'm not saying to do anything unethical, I'm not saying do anything blatantly open, like, okay, we're just not going to have any passwords anymore. I'm not talking about, I'm not talking about things like that, but I'm thinking that, you know, if somebody is really looking at this realistically, they know what I'm talking about. You know, we need this system here. We need to deal with this particular vendor. We need this, you know, how can we do that? I know there's some problems there, but we need to deal with this, with this, with this customer who is in this region of the country that, you know, it's a little bit, you know, shaky or you have had some issues. So, or this, you know, from a part of the world rather. So yeah, there's, there's, there's, you have to have that flexibility and you have to be able to really look at this stuff objectively. We're all humans. We all got emotions. We're all going to, you know, I, I've done it myself and we'll do it. Right. But if you're going to be successful, you're going to have to be able to take a step, a couple of steps back and say, okay, what is the actual outcome that we want to accomplish? The outcome isn't to feed you or your security team's ego. The outcome is to protect the organization, right? So your career and everything like that. I love my career and I'll, I'll build up my career and everything like that. But when somebody is paying you or when you're a part of an organization, that means you have to protect the organization doing what you're supposed to be doing. Right. Which is, you know, if it's security, if it's some kind of marketing or productivity or desktop or storage or anything like that, there's, there's a kind of a responsibility. I, I've been using the term malpractice recently outside of the medical field, right? There are certain things that people can do that is malpractice. Not following security controls, not really having those communications, not really going out for it being visible, putting, you know, rogue AI, rogue, you know, networks into an environment, all kinds of stuff. That's detrimental. Man, did I get a little soapbox there? Sorry about that. Yeah, you actually answered my, my last question. I was going to ask you if you had any advice that you wanted to give for like security practitioners and leaders. It sounds really like choosing your own battles and, and, and making sure that you're, you're focusing on protecting the business as a whole. Yeah. Choosing, choosing your own battles, focusing on the outcomes. This is something I still have challenges with. Being able to step outside and say, okay, am I being the jerk here? Right. Or being able to really look at it from objectively, what is actually trying to be accomplished here? And, and I think that if you have that particular mindset, it's infectious, it'll infect your team, right? You can go out and your team will say, yeah, what is our outcome here? It sounds really kind of, you know, after school special, dating myself again, but that's the way it actually will happen. If you really have a team that's focused on, on the outcomes and doing the right thing, you will have a successful team. Something I live by definitely is that teams are responsible for an organization's success, but organization's failure is always due to leadership. And, um, there, even as I see, even as an individual contributor, there is some degree of leadership that you have to do in doing your job. So even if you're a security analyst or any, or something like that, you have to show those leadership qualities and be able to, you know, because that will support your, your security manager, your security director, your CISO, um, and then the people outside the security organizations, your storage folks, your desktop folks, their marketing folks, your, all that kind of stuff. This is, this is all great information, Doug. And I really am so happy that we were able to get you on today to talk more about your experiences with cyber resilience. Before we wrap up, did you have anything else that you wanted to share with the audience? No, I, you know, what I would, I would like to once again, emphasize that there's a lot of bad stuff out there. There's a lot of bad things that you hear, but you really have to say, okay, what can I do, right? What, you know, to kind of focus on what can I do and not focus on a lot of gloom and doom and everything. Like I said, I brought up a lot of things that, you know, it's like, oh man, AI, information management, information classification, everything. It's, it's overwhelming. It's like, no, this is a blank sheet of paper, right? Here's a pencil. Uh, where do you start? You start in the corner. How do you eat an elephant? One bite at a time, right? Uh, this, we could do this. So I guess my, my thing is don't be overwhelmed, right? It's very easy to be overwhelmed. Concentrate on the goal. Concentrate on the outcome. You know, it sounds like really, I know some people say, well, that's easy to say. Well, it's easy just to throw up your hands too. Okay. So I'd rather go with the other. Well, uh, just for the audience, if you want to learn more about how to strengthen your cyber resilience strategy, we have a lot of great resources out on Cohesity.com. Recommend checking it out. Also, if you found this discussion useful, please follow us for more episodes of Zero Downtime, where we'll take a look at some of the trends that are shaping the data security in 2026 and beyond. That wraps up another episode of Zero Downtime. Thanks for watching everyone. Thank you. And thank you, Shelley.
