Most CISOs can talk tech inside and out. But when they have to communicate that to the business, the conversation doesn’t flow nearly as smoothly. Why is translating cyber to the business still a struggle?
Check out this post by Binoy Koonammavu of Secusy AI for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is best-selling cybersecurity author Peter Gregory.
Join the conversation on LinkedIn
Huge thanks to our episode sponsor, ThreatLocker
ThreatLocker makes Zero Trust practical. With Default Deny, Ringfencing, and Elevation Control, CISOs get real control that’s easy to manage and built to scale. Stop threats before they execute and reduce operational noise without adding complexity. See how simple prevention can be at ThreatLocker.com/CISO.
Full Transcript
Intro
0:00.000
[David Spark] Most CISOs can talk tech inside and out. But when they have to communicate that to the business, the conversation doesn’t flow nearly as smoothly. Why is translating cyber to the business still a struggle?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. Joining me as my co-host, it’s Eddie Contreras, senior EVP and CISO over at Frost Bank. Eddie, say hello to the audience.
[Edward Contreras] Hello, audience. David, thank you for having me back yet again.
[David Spark] We love having you on. You’re great. By the way, our audience, if you’re not familiar with it, Defense in Depth lives on a website called CISO Series. Just go to ciso-dev.davidspark.dcgws.com. You will find this show. You’ll find important notes, actually links to stuff of our guest.
You’ll probably want to go check that out. We have lots of other programming, lots of other wonderful videos. Go check it out. Huge thanks to our sponsor, and that would be ThreatLocker. We appreciate it, ThreatLocker sponsoring the CISO Series. You’ve been doing it for a long time.
We recognize it, and I hope you, our audience as well. Please go to their website, threatlocker.com/ciso. Remember, add that slash CISO, if you don’t mind. Easiest way to let them know you heard about them from the CISO Series. Eddie, let’s talk about today’s topic.
Is the main problem of CISOs the issue of translation? Now, that’s what Binoy Koonammavu said. He works at Secusy AI, and he mentioned this on a recent LinkedIn post. He argued that, quote, “Your success as a CISO isn’t just about securing systems.
It’s about securing buy-in.” I thought that was an intriguing take. It’s more than just saying translation. So he said, “You need to frame risks as a business impact. You’ve got to speak in outcomes, not alert, and you’ve got to translate urgency into strategy.” I remember, Eddie, years ago, you were in my home recording a video about translating to the CISOs, speaking to the CISO.
It’s actually one of our most popular videos. This is a hot topic. This is a coaching strategy that Binoy suggested. Has that or something else worked for you specifically, Eddie, in terms of that translation to the business, the strategy that Binoy points out?
[Edward Contreras] I was so energized about this topic. I wanted to talk in depth and really give examples of this. The challenge that we always hear is theory. Everybody has the statement, “Talk the language of the business.” What does that mean?
[David Spark] We’ve heard that endlessly. Yes.
[Edward Contreras] Everybody says it, and you know it has to be done, yet it’s still a challenge. So if you were to break this three bullet points apart and say, “Okay, what does that mean? How do I use this?” So say, for example, you’re in a technology company, and they say, “What’s the risk or business impact?”
[David Spark] That’s bullet point one.
[Edward Contreras] Bullet point number one, what’s the strategy? If your strategy is we need to grow revenue by 20%, boom, you know what the business impact is. You want to grow revenue 20%. Your next bullet, speaking outcomes and not alerts. Okay, are we at risk of not achieving the 20% growth?
The next bullet says, what’s the urgency? You could say, if we were to get a SOC 2 report, it would open up the financial industry, the health industry, and we can sell to two industry we’ve never sold before, which opens up a market revenue stream for us.
So now, all of a sudden, instead of talking SOC 2, audit controls, security controls, you’re saying we do this task, we’ve opened up these two industries, our potential to hit that 20% growth is much more significant and greater.
[David Spark] That is a spectacular example, and we’re going to delve more into exactly just that. I love that you set it up that way. I’m thrilled to have our guests on. This is a person I’ve known for a long time. He’s kind of a semi-retired security leader.
Most of our listeners… I wouldn’t be surprised if they know him or have read something he’s written because he has authored more than 50 books on cybersecurity. That’s astonishing. The most recent one is the CISA Study Guide. I’m thrilled that he’s joining us, none other than Peter Gregory.
Peter, thank you so much for joining us.
[Peter Gregory] David, thank you so much for having me on, and it’s great to be here and to be speaking about this with you and Eddie.
What’s the optimal approach?
4:14.354
[Voiceover] What’s the optimal approach?
[David Spark] Chetan Jain of Deloitte India said, quote, “CISOs must translate tech into business value to win leadership support.” Okay. “The business hurdle is framing cybersecurity as a strategic asset, not a tech cost and linking risks in terms of revenue, reputation, or compliance impacts.” Love that.
Kuriyachan Joseph of Beinex said, quote, “CISOs or similar infosec roles should articulate risk in business language rather than the technical language to get management buy-in. You gave a perfect example of that, Eddie. Kuriyachan goes on to say, “The management doesn’t look at technical jargons.
They instead will focus on only business risk, which will end up in financial loss, reputation damage, or customer loss, and all of that.” So I will start with you, Eddie. This kind of sets up exactly what you were saying at the beginning of just be where they’re at, I think.
[Edward Contreras] Yeah. If you think about the origin of our industry, the security industry, we’re the last executive to the board, the last executive that’s invited to this meeting. So they’ve been having this conversation for decades.
[David Spark] That’s a really good point. You’re not at the beginning of the conversation.
[Edward Contreras] We haven’t been. If you think about the CFO has a place, the CEO, the COO, they’ve all had dialogue that you’re just not privy to. So now that you’re there, you can’t assume that they’re going to know what a SQL inject risk is. You should assume they’re talking something different.
So if you start to bring in that conversation into that meeting in particular, that’s when you get the side eyes. You’re going to be like, hey, you know, this is pretty technical. It serves a purpose, but does it serve a purpose in this specific meeting?
That’s where you have to change your discussion. So instead of talking about a SQL inject and a user interface that’s coming out with release X.3, you should really talk about, we have a product that’s generating 20% of our revenue. This product has some challenges with it.
We can address it with a small investment of whatever that dollar value is. If we don’t do it now, that could increase 10% quarter over quarter. When should we approach this challenge? That way, now, again, you’re talking about risk without having to introduce all the technical legal, but now you’re talking about something that they care about, revenue preservation.
So again, you’re in a meeting where there was 20 conversations before you got there. Now all of a sudden, you’re talking about a potential exposure to one of those. It doesn’t really need to be about SQL at that point of time.
[David Spark] Peter, I want to address something that Eddie just said with regards to timing, because one of the sort of the historical things things of like, well, security should have a seat at the table. But it’s far more nuanced than that. You’ll often get a seat.
It’s just when you get a seat. You should have your story ready at different times or better be prepared. You shouldn’t walk in blind. “Hey, what’s going on?” You know, kind of a thing, right, Peter?
[Peter Gregory] Oh, for sure, David. The problem is, is that in many cases, and as Eddie says, we’re kind of late to the game, late to the party. This is like, we’re the kids who are now just being able to sit at the adult table, but we’re still kind of expected to just be quiet.
[David Spark] Every now and then we want to hear from you, but just when we ask.
[Peter Gregory] Right, like speak only when spoken too. We’re still seen as nerds that don’t understand the business. In a lot of boards, they still wonder, like, “Why is this person even here?” All they are, they’re just tactical overhead. Many board members don’t understand how we can enable the business, protect revenue, and so on.
But then part of that onus is on us because we need to know their language and speak to their concerns and show that we are a partner to protect the business and that revenue stream.
What is the most critical issue?
8:16.538
[Voiceover] What’s the most critical issue?
[David Spark] Jerich Beason, who’s CISO over at WM, said, quote, “The only time I give someone my money without knowing what they are talking about is my mechanic, and I’ve been with him long enough to trust him.” I love that analogy. “Why would anybody think a CFO, COO, or CEO would be any different?
Leaders don’t open their wallets for things they don’t understand. It’s on us to find a way to ensure they understand.” Tom Le, CISO over at the Gap, said, quote, “I’d take it one step further and say that even CISOs with good communication skills, the ability to translate technology and risk into business, decision-making and outcomes, still need one more capability, influence.
Technical skill set goes to communication skills to align with the business, and ultimately, influence.” I like this idea of influence is that I think you get influenced by being a good communicator. If you can’t communicate, no one’s going to trust or believe you.
Come to where I am. I’m not going to where you’re at, Peter.
[Peter Gregory] For sure, David. Being a good communicator, we need to remember that we have two ears and one mouth. So we need to resist the temptation to just start blabbing when we think we have an in to get a little bit of airtime in in a board meeting or senior executive meeting.
It is our responsibility to understand as much as we can about the business. Oftentimes, that means we need to listen to concerns, plans, strategies, and so forth, and realize that security is never the top priority, not even in a security company.
[David Spark] All right, Eddie, saying to you is that I like this idea of influence. What do you think are the sort of the variables a CISO needs to be able to influence?
[Edward Contreras] First, before I answer that question, I have to tell you, I own so many flux capacitors based on that first quote. You know, your mechanic can tell me anything he wants. I’m like, “Yep, I need that. I need that. Fix the flux capacity.
You got it. Let’s get that there.” I honestly think that the skill that is needed here for that translation really is to be able to understand what’s important to the person you’re talking to, which could be different. No two CISOs, no two CFOs, no two CEOs are built alike.
So while you might work for a company that is in the banking industry, that’s in health care, that’s in retail, even the leaders at the table have a different passion. So if you understand how to touch that passion, you can deliver a different story.
It really is about storytelling. But if you’ve been to a board meeting, if you’ve been in a small company where they’re seeking funding, it’s not always about what you have in front of you. It’s how you tell that story. It is a storytelling effort.
So if you’ve ever had the opportunity to work with a marketing team and understand how they actually break down a conversation, how they break down an ad, how they look at a target audience, all that information is completely valuable for a CISO. So I would say worth your weight in gold, get a 30 minute, one-hour conversation at least once a month with your marketing team.
They are going to tell you this is how we communicate to this very specific audience. And then how do you use that now with your leadership team?
[David Spark] What would you add to that in terms of the qualities you need for influence, for a CISO to have influence, Peter?
[Peter Gregory] To be influential, we need to first be trusted, and that is going to rely mainly on having really good relationships with all of those different leaders in the organization, marketing, sales, IT, product management, or service management, whoever those are, legal and so on.
We’re not going to be able to influence them if they don’t trust us. To trust us, ironically, we need to be listening more than talking. We need to know where their pain points are so that we can help with those.
[Edward Contreras] If I can add on to what Peter said, I like that influence and trusting. It’s not always about telling a good story that people want to hear. Sometimes it’s about telling the difficult story that people need to hear, and that builds trust.
If you can come into a room where the first five presenters were talking about how great things are going to be, how the horizon looks not only sunny, but it looks like it’s going to be successful. You’re the one that’s going to come in there and put ripples in the water.
You have to have some confidence there. They have to trust you. So it is about being trustworthy, open, and transparent.
Sponsor – ThreatLocker
12:54.063
[Steve Prentice] Our sponsor for today’s episode is ThreatLocker. Let’s be real. Most cybersecurity tools only act after the damage is done. Detection is reactive. Prevention is what actually changes the game, and that is where ThreatLocker comes in.
Instead of chasing threats, ThreatLocker helps organizations stop them at the source before they ever run. Only approved applications, scripts, and executables are allowed. Everything else denied by default. It’s a control CISOs have been asking for, protection in force right at the execution layer.
Even trusted tools stay in their lane. Ringfencing keeps PowerShell and browsers from being misused, while storage control and elevation control tighten how data and privileges are handled across the enterprise. It’s zero trust made practical and scalable for modern enterprises.
Now, if you’re tired of alert fatigue, who isn’t? Endless detection noise, again, who isn’t? It’s time to shift the model. From detect and respond to deny and verify. Learn more at their website, threatlocker.com/ciso. Now do me a favor, go to threatlocker.com/ciso.
It’s the easiest way to let them know that you heard about them from the CISO Series. Go to that website and see how default deny can finally give you real control over your environment.
What must a security leader be able to do?
14:26.068
[Voiceover] What must a security leader be able to do?
[David Spark] James Braunstein of Apii said, quote, “Risk isn’t real until it’s tied to revenue.” Prabh Nair of Azpirantz Technologies said, quote, “Success as a CISO is about bridging worlds, shaping the technical reality into a narrative that resonates with leadership priorities.” I think you hammered that home at the very beginning, Eddie.
“My experience taught me fast that, quote, “tech talk” alone won’t move the board. The turning point was learning to translate security risks into language of business value and impact. True security leadership comes from putting policy and theory into action, testing, adapting, and refining controls under pressure.” I’m interested in this very last line is we talk about this sort of translating the language.
But when you’re translating, when you’re communicating, how do you show that you’re doing the thing you’re doing in a way that they can understand those not in the technical world of cyber, Eddie?
[Edward Contreras] It really is about having a consensus and building a document that the leadership agrees with. When you think about a policy, it would be so easy just to Google, ChatGPT, download a document, say, “Here’s our policy.” But if you don’t know the culture of your organization, if you don’t know how your leaders like to operate, if you don’t understand where they’re going, you’re going to adopt a policy that’s going to have resistance that people are going to bypass.
Ultimately, it’s going to expose you to some risk. So if you didn’t have those conversations early on, how do you like to operate? Where’s your comfort zone? Are you okay with having some risk? Are you okay with having risk at the edge with our customers or even with our supply chain?
If you don’t have those customers, it’s almost impossible to build a really good policy. That way, once you have those conversations and you roll up that document, if you’ve had those conversations, most of the people will look at that, say, “Yeah, that’s exactly what I talked about.
It reads how I think, and I think that’s really important.”
[David Spark] Same to you, Peter, in that, we talk about translating, about communicating, but this communication has to go beyond the do you accept this? Do you want us to put this flux capacitor in your car or not? How do you maintain it so they know that you have not put some bogus device into the system?
But that you’re maintaining the conversation like, “Hey, you know, the thing that we agreed about, we’ve got it in. Now, it can do this. Now, we can do that.” Kind of like how does that sort of ongoing conversation pursue?
[Peter Gregory] What we need to be able to do is explain what the technology and what the technology does, what it means in business language without using any technical terms at all. I learned this skill. I begin to learn it early in my career, and I’ve come to think of it as being bilingual.
We need to be able to understand the language of business when talking with business people and the language of technology when speaking with technology people.
[David Spark] So I’m sure that speaking technology with technology people is not a struggle for you at all. My question, what was the most difficult thing for you to learn when speaking business to business people?
[Peter Gregory] Being able to anticipate how I need to say something to have the impact that I intend in language they will understand.
[David Spark] I want to have this reaction. What do I have to say to get that reaction? That is not easy for anyone, I think. That’s super difficult.
[Peter Gregory] Think about this as well. For any CISO that works at a bank, every technologist knows what an asset is. You got to secure your assets. You got to secure your assets. Well, you walk into a bank boardroom and say, “We have to secure our assets.” Guess what they’re thinking?
Financial assets. We’re a bank. We manage assets. Managing assets is how we make money. But if you come in there as a CISO and say, “I got 30,000 risk that’s associated to our assets,” oh my goodness, half the room is just going to flip upside down and say, “Wait a minute, what are you talking about?” It’s like, “Our assets are sound.
[Inaudible 00:18:29] So who led him in here anyway? Get out.”
[David Spark] Good point. So I’m sorry, I cut you off though when I paused you, but continue, Peter.
[Peter Gregory] Being bilingual is so key. Another way to think about this is to kind of borrow from a well-known phrase is executives are from Mars and CISOs are from Venus. We CISOs because we need to be able to get into these business level and board level conversations.
We understand the difference in the way that we think and talk and act. I’m not convinced that all board members do. Boards and board members, that’s a long-standing culture. We’re trying to break into it as though we know what’s going on, and we really don’t.
What’s the motivation to fix this problem?
19:09.071
[Voiceover] What’s the motivation to fix this problem?
[David Spark] Richard Kim, who’s a CISO over at Queens District Attorney’s Office, said, quote, “Sometimes it’s just not a priority for the business. No matter what excuse people in our field will say, if the business understands the risk and the liability and it’s clearly communicated but does not think it is a priority or worth it over another business priority, then no matter how well the CISO, quote, “translates”, it won’t be a priority.
Example, “100 million investment in security versus 100 million investment into sales and marketing, which we’ll see an ROI of 300%. If we get breached, the fines will be 10 million. Eh, we can handle that, and the temporary reputation and stock price hit, so be it.
So if there is no accountability and real consequences to the business, will there be a change?” I think this is a good example. I know I’ve talked about this with Mike Johnson. [Phonetic 00:20:09] If the business understands the risk, and they see, oh, this could be a $10 million fine, but the investment could give us a lot more, and they understand it.
They accept it. Me as a CISO, I’m cool with that, too. Would you be cool with that, Peter?
[Peter Gregory] Sure. It’s their business. It’s not my business. So yeah, I’m all right with that. As long as they also understand another key term we haven’t talked about yet today, and that has to do with due care and negligence. But then again, a failure in either one of those can result in that breach that will have that financial and reputation hit.
But if the business is ready to accept that risk, hey, who am I to tell them that they’re wrong? As long as they don’t make me the scapegoat if the bad thing does happen.
[David Spark] I got to assume, Eddie, that is a part of the conversation between security and the business. They don’t just say yes to everything you tell them by no means.
[Edward Contreras] Absolutely. I’d love to pick apart this quote. I read this one at first, and I’m glad you have it as the last one here. You’re having the wrong conversation. If you are pitting a cost center against a revenue generating center, you’re going to lose that conversation 100% of the time.
That’s not the role of the CISO. There’s a phrase, “pick your battles.” You have to understand, where do you dig your hills on the ground? Where do you actually go and say, no, this is something I want to absolutely defend versus what I’m willing to relinquish?
I love what Peter said earlier. It’s about trust. If you use those battles sparingly, when you do come to the point where you want to dig your hills in the ground, you’ve earned that trust, and they will make the right decision. But this is 100% the responsibility of the CISO.
How did you frame it? What were you competing against? Did you set up your discussion for failure because you chose the wrong argument? So this is where we have to own it as CISOs. How am I pitching this? How is it landing? And then what is the expected outcome?
It’s kind of like poker. You always have to assume every hand is a winner and every hand is a loser. You have to understand how to deliver that.
[David Spark] Okay, so let me ask you a question. Neither of you have this sort of desire or in any way are suggesting that our audience behaves like Chicken Littles and says, “The sky is always falling. ” But my question to both of you… And have you ever had this situation where you have built the trust, you really, really worked hard in building the trust, and you did have a sky as falling moment, and you really had to turn on the screws of saying, “Guys, we really need to pay attention to this.
This is really, really scary,” and they did listen to you? I’ll start with you, Peter.
[Peter Gregory] One example I can think of, I’m not sure if this is directly answering your question, David. But in a public company I worked in, we had a physical break-in that resulted in the physical theft of numerous IT assets. Some of those included some customer contact information and so forth.
After that happened, the senior executives in the company, they got it. They understand what the pain is like. It’s a little bit like thinking about a car accident and being in one. Until you’ve had an airbag blow up in your face, it’s hard to know exactly what it’s like when the sky does fall.
[David Spark] But you know what? I think it also helped that it was a physical break-in because that’s far more tangible, and they can understand that.
[Peter Gregory] True.
[David Spark] Yeah.
[Peter Gregory] True. That’s why in part of my describing risks and consequences to business leaders, I often use metaphors. I’ve done that for so long that they just roll off my tongue. Maybe one out of four of them kind of fall flat, but much of the time, they get it by taking some kind of a technology or cyber-related risk and saying, “Well, this risk is kind of like something in the real world like this or that.” And then they go, “Oh, I see what you mean.”
[David Spark] Yeah, they got to put it to something they can comprehend. All right. Eddie, have you had a moment you’re level-headed, then one day you’re like, “Okay, I can’t be level-headed today, guys.” Have you had that?
[Edward Contreras] I have. It has happened several times, and you use those events sparingly. One of the things that I do as an executive of my company is I understand the profile makeup of every executive and board member that I interact with. I know what they’re a part of.
I do my research. I make sure what have they experienced that I could relate to. Very similar to what Peter says, right, we have to use metaphors. We have to talk in their language. But personalize it. Make it hit home. If a board member of yours is on 10 other boards, if they’re a general counsel, if they’re a retired CEO, if they’ve written a book, you have to tell the story in a manner that would resonate with them.
Sometimes you do have to say, listen, what I’m about to tell you, not only am I passionate about, I need you to be just as passionate alongside with me. I’m going to tell you why. And then that’s when you shift over to the metaphor. If you use that sparingly enough, and sometimes it does happen back to back, but as long as it doesn’t happen all the time, they’re going to trust you, and they’re going to follow you when you need them to follow you.
[Peter Gregory] I’d like to add to that, too, in my experience as a virtual CISO in one company, I had really great relationships with two of the board members, and I regularly had one-on-one meetings with them when they were in town for board meeting week.
Starting with one or two board members who will help you get established and get your reputation as a trusted party who can speak to the board and the things that they need to hear, that can be really helpful.
Closing
25:36.345
[David Spark] Excellent. Well, this brings us almost to the tail end of the show. It’s a point where I ask you, Peter, which quote here was your favorites? There are a bunch of good ones. Which one was your favorite? Why was it?
[Peter Gregory] Well, my favorite quote was, “Risk isn’t real until it’s tied to revenue.”
[David Spark] Yes, that’s from James Braunstein.
[Peter Gregory] The reason I think about that is that cyber risk is something that is not present on a company’s balance sheet. If you have two otherwise identical companies, one with low risk and one with high risk, the balance sheets are the same. Even though one may be utterly negligent in many or all things cybersecurity and that a breach is likely to occur any moment, even if one hasn’t occurred already.
So that is one reason why it’s hard to communicate risk in those tangible terms because it doesn’t have a place in financial statements until something bad happens.
[David Spark] All right, Eddie, your favorite quote and why.
[Edward Contreras] I’m going to go back to where this all started with Binoy. I love the ending where it says “It’s about securing buy-in.” A security person, when you’re thinking about securing technology, the company, you also have to secure buy-in.
It’s perfect for our people within our industry.
[David Spark] By the way, what I said before, part of security buy-in is, “I get it, I understand the risk, but we’re not going to do it because of this business imperative that’s going to generate X revenue.” And that’s part of buy-in. That still falls under buy-in, yes?
[Edward Contreras] Absolutely. I mean, if you’re a part of a company, you’re a stakeholder in that company. The collective makes the decision. It’s not just the CISO’s position or the CEO’s position. There’s a group there that makes it together. Ultimately, someone may have that final vote.
But it is a buy-in, and it’s a consensus. As long as you’ve told your story adequately, if you held your professionalism where it needs to be held and you’re trustworthy and transparent, you should get the outcome you’re looking for that’s appropriate for your company, which may not always be the security effort.
[David Spark] Excellent. All right, well, that brings us to the very end of the show. Huge thanks to our sponsor, and that would be ThreatLocker. We appreciate it, ThreatLocker sponsoring the CISO Series. You’ve been doing it for a long time. We recognize it, and I hope you, our audience, as well.
Please go to their website, threatlocker.com/ciso. Remember, add that slash CISO, if you don’t mind, easiest way to let them know you heard about them from the CISO Series. I want to thank you, Peter. It’s so awesome having you on this show. We’ve known each other for a long time.
Essentially, we keep running to each other at conferences. Peter Gregory, if you don’t know, just look up his name. He’s written a ton of books. Most recent one is the CISA Study Guide. You also have a brand new AI governance training course on O’Reilly.
We will have links to both of them on the blog post for this episode as well. Any last words from you, Peter?
[Peter Gregory] Thanks for having me on, David. The most important thing for us as security leaders doesn’t have anything to do with security. It’s about earning trust at senior executive and board levels and understanding them and being understood.
[David Spark] Excellent. Well, thank you, Eddie, as always. Thank you to our audience. I say it all the time, and I mean it all the time. We really appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, ciso-dev.davidspark.dcgws.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense in Depth.