i used the term n.i.s.t., and i had to define that for the audience. what we really need to focus on is awareness and education. from our perspective our members are 900 rural telcos across the u.s. and they all want to be more security, right? they want to protect their core network, their customer's data and information. it is a question of assisting them with doing that more efficiently and effectively. >> so we were talking about metrics with reference to the framework. every company has a corporate risk manager. they don't have a corporate risk eliminator. you can't eliminate risk. and so then when you start applying the frame work at the individual corporate level, you have to utilize it. you need define the threats, the types of attacks that you can suffer, that you can protect against, you might be able to protect against, and those you cannot protect against. and that last bucket is data tap. not even the federal government can withstand a nation state attack. in that fuzzle middle area, where it may be a nation state or organized crime, it is