From Compliance to Containment: The New Era of Financial Services Supervision | Phil Park 

Raghu N  00:00

Welcome back to The Segment. I'm your host, Raghu Nandakumara, and today I'm especially excited to sit down for this conversation. If you've spent any time around financial services lately, you know supervision is changing fast. Expectations are broader, more global, and increasingly tied to technology resilience and how institutions actually operate day to day. And as we head into 2026, those shifts are becoming impossible to ignore. Today, we're going to unpack what's really changing and why it matters for the industry. I'm so excited to be joined by Phil Park from IBM, a global cybersecurity and risk leader with more than 25 years of experience helping financial institutions navigate regulatory pressure, emerging technology, and operational resilience across the U.S., Europe, the UK, and Asia Pacific, in fact, all over the world. Phil, great to have you here.  

Phil Park

Raghu, thank you so much for having me today.  

Raghu N

It's our pleasure. So Phil, I always like to start these conversations before we get into the topic, to understand sort of a bit of your background and how you got to be doing what you're doing. So take us on a quick tour of the Phil Park CV.  

Phil Park  01:09

So I'm again, dating myself. I go through my history of it, but really, I started my career right out of college, back in 1998. During the, believe it or not, the Y2K height. So those of you old enough, yeah, I was right out of college, hired by Verizon, so I started as a software engineer, rapidly changing those legacy codes. So the Y2K was with that impact, fortunately, as we are here, all of us, it did not, fortunately. So, from software engineering, I got into cybersecurity in terms of protecting critical infrastructure in the telecom sector. Then I eventually moved on to the big four with the Deloitte Consulting focus on cybersecurity consulting, and from there was where I really got into financial services market. So we did a lot of focus on not only financial services, because around that time, also was the Sarbanes Oxley era, but as well as they, you know, regulatory bodies were having increased scrutiny in terms of, back then, information security protections and others. And around that time, there are slew of other regulations, like GLBA that also start coming out. So it becomes very important, right? So about 10 years in the Big Four consulting besides Deloitte, KPMG, and PwC. Then I eventually moved to IBM and Microsoft, Microsoft and IBM, again, focus on cyber financial services market, all on cybersecurity consulting.  

Raghu N  02:39

Awesome, I mean, like you've got all the medals there. It's funny, like we've had a few others on the podcast over the years who are deeply involved in sort of Y2K remediation, and what I hear from them is that as midnight approached, everyone is sitting there nervously, and then nothing happens. Was it relief or disappointment?

Phil Park  03:04

I think for me, it was more of a relief, right? I remember that night when I was on call, and I had three pagers. I'm really dating myself with pagers, model pagers. Yeah, I had three of those, you know, on my belt, ready for something catastrophic to happen, but thank goodness nothing, nothing bad happened to the world.  

Raghu N  03:23

Or maybe the pager network had gone down. That's amazing. And you talk about, sort of, I my background isn't a story, just yours, but I started my career in cybersecurity and financial services, and you mentioned Sarbanes Oxley, and sort of just as I was coming into the industry in late 2004, early 2005 like Sox compliance was a key driver, right? And was very much at the top of Mind in the information security risk programs. So, sort of getting into the topic we're discussing today, when you think about how cyber and operational risk were treated five,10, or, hey, 20 years ago, compared to now? What's the biggest mind shift you've seen, both from regulators and from institutions? mean,

Phil Park  04:11

Yeah, II mean, that's an excellent, excellent question, right? We're not, we're not really look back in the like that last 10 years. I think the biggest shift from both the regulatory, regulators and and the financial institution has been like the movement from asking, “Are we protected?”, which has been the case for longest time, to “Can we operate through disruption?” That is the like a fundamental mindset change that has taken place where cyber and operational risk used to be just purely controls, frameworks, policies, checklists, and maturity score. Today, they're increasingly seeing this as more of a business, business model issue, where regulators want proof that critical services will remain available even when major systems have value. Years or key vendors go offline due to a cyberattack. And institutions are also realizing that prevention alone isn't enough. They need a containment and recovery that actually works under pressure. So where in the past, it was more static, I would say it's more dynamic now, and the regulators are increasingly looking at in a more real world case, right? In the ideal case.  

Raghu N  05:24

It's really interesting because you, you kind of very determinedly said, right? Like prevention is no longer no longer enough, right? We need to focus on containment. And it's interesting because, like, I obviously work at Illumio and have been involved in sort of shaping, sort of our messaging positioning, and I remember when we started using this term, like “containment” and “breach containment”, I kind of thought, “Oh, this is something that we're coining to sort of craft a niche for us”. But then I sort of picked up, I think at that time, it was like the Dora proposal, right? And there, front and center was pretty much word for word. What you said, cyber attacks are inevitable, right? And organizations need to focus on how they contain and operate in this new world. So, yeah, it's kind of amazing how that's become mainstream. So actually, I want to just ask a bit more about this. Is that, given that that sort of requirement for resilience is now paramount, right? How is the testing of that evolving?

Phil Park  06:18

Yeah, and there's another, very interesting point we're seeing fundamental shift is when that disruption hits. The real test is really isn't just technology, and I think that's been sort of more heavily scrutinized in the past. Now the regulatory regulators and the supervisory body, they're looking at end-to-end, all the way to in terms of leadership, judgment, the clarity of decision making, the cross-functional coordination, not just within cyber, but other units as well within the organization. Importantly, the ability to communicate transparently, without the chaos or delay. So, regulators are watching, how fast can you isolate that problem, and how well do you understand your service dependencies and whether you're maintaining that continuity for your key clients. And yes, you know, I think ​​​​it's absolutely fair to say that regulators are watching less for perfection, yeah, because they know perfection is impossible. So what what they care about more is, you know, what is the quality of the response when something goes wrong. How quickly can you escalate, and how confidently do you act in a crisis, in a management mode? And how consistent are you in telling that story?

Raghu N  07:33

Yeah, absolutely, because it's so it's almost like shifting to one of assurance that you're well prepared to handle that incident versus a checklist of, have you done x, y, z? Would that? Would that be accurate?

Phil Park  07:48

Yeah, that is absolutely correct, right? So, as I mentioned, it's how well are you prepared? Again? They don't expect perfection. Nobody does, right? But do you have the key core processes in place. Have you also, you know, interestingly, have you done this number of times, right, in a simulation rather than a static base? Yeah, as I alluded earlier, about that dynamic, dynamic, dynamic environment.  

Raghu N  08:13

And You mentioned right, that this change in the sort of supervisory or supervision approach, right, going from essentially a compliance checklist to very much about preparedness, right, assurance, and being able to handle situations. Given that we're seeing this not just from regulators in a particular geo, but also now globally, what kind of new expectations and pressures is this putting on security leaders and the boards they report to? How is it impacting their role?

Phil Park  08:46

Yeah, absolutely, for traditional CISOs, where they tend to be more silo 10 years ago, that's no longer the case. They had to have regular conversations with their peers and the risk office, risk management office, as well as legal, operations, vendor management, and even finance, to have a more unified approach in terms of crisis management. And from a board perspective right, they are increasingly becoming aware, not just because, again, regulators are now holding fire to their feet in terms of accountability, but also it has, as we've seen in several news stories in the past, that it could have a significant impact in terms of the fiduciary duty, as well as a significant financial impact to their organization, their public company.  

Raghu N  09:36

So you kind of mentioned something really interesting there, right about historically, CISOs or the security organization has been quite siloed, right? But you just said that these new requirements really force a significantly more holistic, joined-up thinking across the organization, because no single part is solely responsible for resilience. Everyone's got a part to play. So, are you seeing that CISOs are being given significantly more authority in addition to the accountability that they already had?

Phil Park  10:09

Yes, and what we're seeing is on several large financial services organization is traditionally the CISO reported under the CIO, but that organization model is shifting where now they're sometimes peers to the CIO, or in other cases where they report straight to, let's say, the chief operating officer or the chief risk officer, so that the traditional model of CISO reporting the CIO is changing quite significantly.

Raghu N  10:39

And in terms of like how, as this shift has changed, right and of course, right as those, the supervisory requirements are also changing. Our CISOs are part of that organization; are they finding it easier to now demonstrate outcomes? Or is that still a significant challenge?

Phil Park  10:58

That is still, in many ways, a lot of our clients are facing difficulties. To your point that the outcome-based approach is the key, where, in the past, it was checklist-based. So the fact that the organization has to prepare the entire enterprise in a collaborative manner for these supervisor examinations has increased a lot of pressure on the organization. So boards are now for this, for the CISOs and the boards, right this pressure, they're now accountable for the resilience of the whole entire operating model, not just the policy oversight. And the CISOs are expected to show that the operation improves, you know, the scenario test, the failover results, the ability to isolate the tag before you know it, further expands upon. So the biggest gap that I see is that many firms, again, rely on the frameworks and heat maps while supervisors want that action and that outcome you alluded to.

Raghu N  11:56

So if there was one specific area, because you've covered a few different things that CISO organization now needs to demonstrate. Is there any particular item in that list that is currently the most challenging for them to demonstrate suitably?

Phil Park  12:12

So a lot of times, what we're seeing is when they do, let's say, these kinds of resiliency tests, they obviously do so because if you do something closest to the live, it can be very disruptive, so they try to minimize it, ensure that there's negligible impact on their operation. But the quality of that, that exercise, whether it's tabletop or some simulation, it has to reflect the reality of their not only in terms of their capabilities, but also in terms of their whole supply chain. And what I'm saying out in the field is they may feel pretty confident about their capabilities internally within the organization, but the challenge is, yeah, they do not have full confidence in terms of, let's say, all the member, critical members of their supply chain are as resilient as their organization.  

Raghu N  13:04

Actually, that's an interesting point, right? Because what I've seen is how much of a focus there is now on supply chain risk and third-party risk. But it feels like it's kind of like the problem that is always really difficult to solve, because we essentially have, often have no responsibility what the third party is doing. So, from your perspective, and also in your role in advising your customers, how are you framing, or what are you framing as the best approach to manage third-party risk effectively?

Phil Park  13:36

Yeah, so in terms of, like, anything else, right? Even like vendor or third-party risk management has a life cycle. The earliest, the best thing you could do is have the earliest visibility in terms of who your critical suppliers are in your overall business, your business unit. So increasingly, we're seeing good organizations that collaborate proactively with cybersecurity to let them know that these are our, let's say, tier one, tier two, tier three, basically ranking the most critical vendors to the organization's business outcome. And then they collaborate with these vendors to ensure that they are meeting that particular organization's expectations in terms of cyber resiliency, and able to demonstrate when, let's say, they are going through some kind of external audit or supervisory review, that they are able to furnish necessary evidence that they could recover in a potential outage.  

Raghu N  14:38

Right, and so do you think, like, for example, I'm relatively more familiar with DORA than other global regulations in sort of operational resilience, and that, of course, has taken the approach of identifying sort of critical third parties, right, the likes of the sort of the hyper scalers, etc., right? And saying, Okay, well, because you're so critical to the financial system, right, you need to also be a complaint, right? Do you think that that type of approach is sort of a best foot forward to helping organizations manage that third-party risk of it being a necessary requirement?

Phil Park  15:12

Yes, absolutely. Right. So when you just touched upon DORA, and we look at it from a global regulatory perspective, regulatory convergence, right, DORA is entering a new phase in 2026 with the critical ICT providers you just mentioned, under direct oversight. So what banks and providers will experience more is like a joint examination that go deeper into that, into the dependencies, plus backup, the backup realities, the architecture vulnerabilities and so forth. So the early challenge will be transparency, and that is the keyword here, in terms of the organization, to be as transparent as you can with these supervisory boards in terms of coordination across multiple entities, and being able to demonstrate, not just the scribe, but demonstrate that result, resilience.

Raghu N  16:01

Absolutely, so let's talk about some specifics around, particularly, like, one of the key things around, sort of the evolution of these regulations, is really around reporting, right? And what requires reporting, what requires escalation? So like, when an incident occurs, when disruption occurs, let's stay focused for a bit, right? What triggers escalation or deeper scrutiny from us supervisors when compared to some other regions?  

Phil Park  16:29

Yeah, so more for the US is more heavily focused in terms of your preparedness as well as how rapidly you can recover from the potential incidents, whereas from the, you know, the European Union point of view, they're focusing on overall end-to-end processes, besides, in terms of being able to address the recoverability. If I were to advise, let's say, a European CISO, I'll be able, you know, I would probably say that you should be able to demonstrate in a live, practical way how you would isolate a major failure and keep your critical services running and have a traceability in terms of every critical services down the technology and the third parties that support it, because the ECB teams are pressing the banks really hard in terms of actual readiness, the runbooks that work, the escalation path that are tested, the vendor access plan, plan that are credible, and the rapid containment capabilities.  

Raghu N  17:28

In terms of that, demonstrate like that, being able to actually provably show your resilience. Are you able to talk a bit about some, let's say, from your experience with some of your clients, with your customers, some of the key things that those customers have implemented that are helping them not just become more resilient, but also be able to demonstrate that more effectively?

Phil Park  17:52

Yeah, absolutely. So key things are having that runbooks, I mean our detailed run books, as well as decision trees, as well as well as communication protocols, a list of your critical third party, third parties, along with evidence that those third party have resilience capabilities that align with the regulatory requirements, as well as evidence of containment capabilities and not just prevented controls.

Raghu N  18:18

So what is that like when you think about containment capabilities, like, what does that typically look like in an enterprise? Like, what are organizations prioritizing?

Phil Park  18:28

Yes, definitely, right? So, is able to, importantly, I think an important thing is, again, from an illuimo perspective, is having that segmentation?​​ I’ve seen too many clients that have a flat network, per se, right? And they don't have a proper segmentation that enhances a containment from a technical perspective, but also in terms of awareness of not just from a security organization, but also from overall risk management as well as audit, as well as compliance, that there are probably proper plans in place in terms of if the blast readiness is somehow to go beyond the required areas, is to have the proactive plan, as well as controls in place to address that the expansion of the blast radius.  

Raghu N  19:16

Awesome, I mean, we don't expect a plug of Illumio on the podcast, but when we hear one, we absolutely love it.  I mean segmentation amongst, like a set of key containment controls to limit the spread of an attack is, is pretty much essential for every organization, and particularly, something as critical as financial services. So I actually want to go back to something that I forgot to ask, right? And we're talking about incident notification, right? And where you've got organizations that are under the purview of sort of multiple oversight bodies, right? Where you've got, like, federal requirements, you've got maybe state-specific requirements, you probably have something for the SEC in terms of 8K Disclosures, and all of these have different timelines. How are organizations and US banks, in this case in particular, how are they adapting their playbooks so that they're able to meet all of these overlapping timelines, but without overburdening themselves? Like, how do they manage that?

Phil Park  20:19

Yeah, that's That's an excellent question. So in terms of it can be very burdensome, but I think the key here is being able to have a cross coordination with the right stakeholders within their organization, as well as external to ensure that all these key artifacts and all these controls have been tested and are readily available because we touch upon the earlier discussion about moving away from static checklist to more dynamic evidence proof. So they should have the ability to meet what's required by regulatory requirements, be able to furnish live. You know that security controls can address that. So it's a similar way that in cybersecurity, asset management is critical that evidence controls, evidence capability, being able to demonstrate that live is also very critical in this situation, rather than trying to, at the last minute, trying to run and gather all these core controls and assets.  

Raghu N  21:26

Absolutely, actually, it's just while you're saying that, something else sort of cropped up that I'd love to get your perspective on. So like you've said a few times in this conversation about that shift from being a checklist based approach to one about really being demonstrable, right? And if we now sort of, kind of also put a bit of a global perspective, right? And let's again, like, whether you want to pick something like DORA, or you want to pick, let's say, like the regulations in the UK, from the PRA and the FCA, but then tested via something like CBEST, right? A lot of these now are shifting towards much more around proportionality in terms of controls, right and threat-led, and threat-informed approaches to both in terms of threat-informed, and threat-led defense, but then also threat-informed testing. Because when I think about that, that's much more rational, but also from an assessor's perspective, from a supervisor's perspective, it creates challenges, because every organization has a different perspective on threat, right? So how do you now essentially compare one organization’s compliance compared to another, where potentially those, because those checklists don't really exist anymore. How are supervisors dealing with that?

Phil Park  22:51

Yeah, so, so the threat that, let's say, Let's take, for example, pen testing right a thread that pen testing is, is also a lot bigger shift than many, many expect. So the heavy part isn't the testing; the most critical part is actually the scoping, the governance, and the remediation cycle, which is also heavily dependent on third parties, as well, so on. The question, you know, whether a firm can maintain a single incident narrative that satisfies DORA NIST2, or GDPR, or anything else in practice, is no, yeah, you can't right. Each regime has its own unique thresholds and reporting lenses. So what can you do to maintain that set of facts and adjust the framing per regulation? You know, ECB teams are pressing banks hard on that actual readiness. So, you know, they want to examine, like the runbooks that work, and escalation path, and the vendor exit plan that are credible and rapid containment capabilities that are realistic.  

Raghu N  23:53

Just on that point regarding sort of what the ECB is pushing for with DORA, sort of having officially come into force, I think in January 2025, when do you think we're going to see sort of the first reports that that sort of provide us a readout on the state of DORA compliance in the EU? Do you sort of have a perspective on when we're going to start seeing that?

Phil Park  24:18

Yeah, I would. I would. I would, kind of mirror that to previous new regulations that have been recently introduced, and that may take again, depending on the obviously, the size of the financial institution, the larger ones tend to be more proactive and better prepared, and they may, we may actually see some actual results within couple of few, a few years at most, whereas the, let's say, small entities, it may take longer, right? It's in a similar way, the story kind of mirrors, you know, what's what was happening previously, when, for example, the previous major regulation around GDPR. It just varies depending on the size of the organization as well as their overall compliance department capabilities.

Raghu N  25:05

And one thing I've not really fully understood, right? And again, this goes back to having sort of a clear checklist of, oh, have you done these things? To now, kind of the approach that the regulators are taking, what do you think a pass or a failure will look like, right? Who, because I feel, is not a fixed goal post. Now, so what do you think that will look like for organizations?

Phil Park  25:30

Yeah, I think the key thing here is assumptions. So most assumptions fall apart, either in scenario testing or where you realize dependencies aren't as well understood as you thought, or during a real incident. So, human behavior is where the human behavior diverged from the plan. So the old ad is that everybody has a plan until you get hit in the mouth, right? That sort of comes true in this situation as well.  

Raghu N  26:13

Yeah, absolutely. It's like, yeah, you get hit in the mouth, and you then determine, like, how badly it's hurt you, right? And that that's probably the indicator, yeah.Okay, so just, just, like, like, moving along, right? I mean, I'd love to just tap into your experience and help your customer base. So, as these changes have happened in the regulatory landscape, what are some of the most interesting challenges you and your customers have had to overcome in order to essentially navigate it and be successful?  

Phil Park  26:40

So, so when the supervisors come to decline and challenge this tolerance we talked about earlier, and you know, they actually want to see that it reflects on reality, you know that they can recover, not just some number, you know, chosen from, you know, randomly or through comfort. They had to have a change in mindset in terms of understanding that it's okay if they find some critical areas that you may have fall short on. But the most important thing is making sure that you acknowledge it and you have a plan to address it, and then you actually give a viable plan of action to remediate that within, again, the regulatory guidance timeline. So yeah, some of the near misses that reveal some huge near misses reveal a huge amount is like, like weaknesses and escalation, for example, yeah? Or very brutal processes, yeah. And places where resiliency depends on, let's say, one person, and I think that's gonna happen right for heroic means, rather than an institutional discipline. Yeah, those are some of the common things, like the regular regulators, you know, kind of see that, that in terms of, you know, the missus, and then the most important, you know, my mindset shift is for anyone dealing with the supervision is evidence matters is more than just a narrative. Your supervisors will look at, you know, what happened in your last disruption? Yeah, not just what's in the plan.

Raghu N  28:14

Yeah, that was, I think the way you express that is brilliant, right? Because once you make that transition from moving from a checklist to demonstrable outcomes, that becomes a true test. And I think I love the way you expressed it. Is there anything here that depends on a single individual, right? Is the human a single point of failure, and that comes, that comes crashing, crashing down, so just flipping that around, right? And you also spoke about containment now becoming a core capability across the organization. So how that, as organizations design for resilience, like, how has that transformed into sort of changes across the organization?

Phil Park  28:56

So in terms of containment? So this is typically, again, the mature organizations; they tend to see this in an annual, let's say, some kind of cybersecurity, resilience, and overall business continuity planning. So a lot of those capabilities in terms of, let's say, containment, crisis management, do exist through enterprise, you know, business continuity or disaster recovery exercises. Now what we're seeing more is we're seeing that cyber, let's say a ransomware, for example, incident being a very, you know, one of the top scenarios in the enterprise business contract disaster recovery exercise. And it does involve all the key departments and the stakeholders, to, again, demonstrate the realistic ability to meet that recovery time objective or recovery point objective.  

Raghu N  29:48

Yeah, yeah, for sure. So of course, right, like we're in a conversation, and no conversation in 2026 particularly about cyber, can escape the mention of AI. So when we think about resilience, when we think about financial services regulations, particularly those that focus on building better operational resilience, better cyber resilience. How are organizations factoring in AI into their thinking?

Phil Park  30:16

Yeah, I mean, it's a double-edged sword, right? We're seeing rapid productivity enhancements thanks to AI, as well as in the cybersecurity space, we are using AI in terms of abnormal behavior analytics. But at the same time, the threat actors are also leveraging AI into very sophisticated malware engineering to even deep fake this year, I had one client where there were almost became a victim of a deep fake social engineering, where this person, the CEO, actually was on a web meeting, and this person looks like the other VP that in accounting that, you know, looked real, the voice was real. But in actuality, when they kind of suspect something a little bit abnormal on the request, they found out that it was a deep fake, right? That's just one example where that is becoming increasingly concerning, and a lot of organizations like IBM and others are looking to address that, in terms of combating deep fakes, because we expect that to be a significant issue that becomes increasingly important in the coming years.

Raghu N  31:28

And yeah, absolutely right. So what are you thinking about this in the context of operational resilience, are there any key challenges that you foresee, or organizations foresee, that are particularly AI-centric?

Phil Park  31:42

Yes, so as organizations roll out more agentic solutions to their digital workers, as they roll out more digital workers in their operations, I would foresee more challenges in the future in terms of disruptions, just because the way organizations, some organizations, I had to be careful about this. Some organizations are very aggressive in rolling out agentic AI into their core processes without the necessary, sufficient governance in place. And that's the critical piece as we shift towards more, AI era is that the governance as well as making sure that the proper controls are in place, but the good as they roll out the agents in their environment, and again, this is a hot topic right now in the whole cybersecurity community is, how do you secure, or how do you secure identity of all these agents that will be floating around your enterprise? Not just your environment, but also your partners and your critical supply chain.

Raghu N  32:49

Totally, right? And I think just this week, when we're recording this, like the huge amount of coverage, broad bot, malt bot, right? Open claw has got about, oh my god, we've suddenly got this AI agent that is easy to use by any user and helps them boost their productivity. They can run it on their laptop, on their desktop, right on their end, on their end user device, and don't need admin access to install, and we've got a huge problem.

Phil Park  33:17

Suddenly, yeah, it's like the old days. Again, I'm dating myself, but it's like the old days are just going out and installing, you know, the appliances with the default credentials, without hardening, without making sure that the, you know, the non-essential protocols are turned off. Yeah, same, same challenges we have. It's going to be 10 times worse, you know, moving forward. So don't go out there and go ahead. Don't go out there and buy a Mac, you know, Mac Mini, and set up your own personal assistants.  

Raghu N  33:46

Absolutely. I'm really glad that you made that point right about the same, it's what we're seeing, right? Even though the technology evolves, what we're seeing is the same gaps, the same challenges occurring again and again and again. So would it be right to say that if we're trying to build a more resilient future, we need to prioritize addressing those fundamental gaps that we've had?

Phil Park  34:16

Yeah, 100% rightly so, we should be concerned about in terms of zero-day exploits and so forth. But for most organizations, it's just like, let's just use a sports analogy, right? ​​Yeah, the fundamentals of blocking and tackling are just as critical right now as more than ever, right? Making sure you know where all your assets are, and now that, besides the traditional way of let's say your data assets, your hardware assets, your software assets, now you got to, you got to include AI access into the asset inventory, right? Making sure your proper privileged access management is reviewed, making sure that you do that continuous vulnerability assessment and remediation. Making sure that you have proper hygiene. We just talked about making sure that all that is continuously monitored, remediated and powered by, you know, proper threat intelligence. The core things like that, the core blocking and tank tackling is just as if not more relevant in the AI era.  

Raghu N  35:20

Oh, awesome. I completely agree. Phil, final question, final question for you, right? And this is not on the list of things that we kind of suggested. So, are you a cybersecurity hopeful, or are you a cynic? And by that, I mean, do you look at this and say, yes, cybersecurity is doing a great job, right? It's a hard problem. We're doing a great job, and we need to continue doing better. As you said, focusing on the basics. Or are you someone who says, you know what, cybersecurity fundamentally, the way we approach it is broken, and till we focus on the basics, it will always remain broken. Where do you sit on that?

Phil Park  36:00

I was probably leaning towards the latter part. I am, by nature, an optimist, right? But at the same time, I seen too many organizations neglect the fundamentals, just like athletes, where they have to practice in terms of their the core fundamentals. I think we as an organization also need to look at the fundamentals to ensure that we are doing all the core fundamentals we just talked about consistently, and be able to demonstrate to the regulators that we do have this. We have this. We're able to demonstrate it when you come in right now, I'm able to demonstrate these core functions. We're doing this in our organization, as well as with our critical partners, to have a more resilient organization.  

Raghu N  36:48

Awesome, Phil, I love the way how you expressed, sort of your things that, yeah, we were not doing as good as we could. However, there is hope and there is a very clear path to us doing better. Phil, it's been an absolute pleasure to have you on the podcast. Thank you so much for your time.

Phil Park  37:05

Thank you so much, Raghu, for your time and giving me this opportunity today. Thank you.

Raghu N  37:09

It's our pleasure, and for those of you who are heading to the FS-ISAC Americas summit in Orlando in March, IBM and Illumio are co-sponsoring a dinner. If you want to register for that, the link is in the show notes. Please go ahead and do that. Thank you all for your time and see you again on the next episode. Thanks for tuning in to this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter at Illumio, and if you liked today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.

‍