The Department of Defense Cyber Crime Center (DC3) operates a Vulnerability Disclosure Program (VDP) that handles critical cybersecurity issues reported by the public, including using an actual red phone for urgent matters. In the latest episode of WE’RE IN!, Melissa Vice, director of DC3’s VDP, describes how they respond to cyberthreats and collaborate with other groups within the center, such as the Operation Enablement Directorate and cyber forensics laboratory.
The Department of Defense Cyber Crime Center (DC3) operates a Vulnerability Disclosure Program (VDP) that handles critical cybersecurity issues reported by the public, including using an actual red phone for urgent matters. In the latest episode of WE’RE IN!, Melissa Vice, director of DC3’s VDP, describes how they respond to cyberthreats and collaborate with other groups within the center, such as the Operation Enablement Directorate and cyber forensics laboratory.
Tune in to hear how the program, which began in 2016 following a successful bug bounty event, has processed over 53,000 reports, 56% of which were actionable, and resulted in nearly 30,000 remediated vulnerabilities.
Listen to learn more about:
Why VDP has been recognized by the government as a reliable and economical cybersecurity strategy
How Melissa and her team handled the notorious Log4j vulnerability
How DC3 has explored the use of AI and machine learning to enhance capabilities and scale operations
[00:00:00] Blake: Melissa, thanks so much for joining me on the program.
[00:00:02] Melissa: thanks for having me, Blake.
[00:00:03] Blake: So right off the bat, can you help clarify for our listeners what a vulnerability disclosure program is, and how it might differ from other concepts like pen testing and bug bounty?
[00:00:15] Melissa: Absolutely. So a vulnerability disclosure program is Is an enduring and an enduring program, unlike bug bounties, which are tend to be a time based, challenge that, that goes out. And so how I can kind of describe this, and it gets very confusing sometimes because we came out of a bug bounty program.
[00:00:39] We were generated from the hack the Pentagon bug bounty program that, uh, the late Ash Carter, when he was SECDEF, and Defense Digital Service ran in 2016. So from that, they did a bug bounty. They realized that, wow, we're getting some great vulnerabilities submitted to us. And, um, kind of as happens, because bug bounty programs are monetized, they're handing out money for that, high fiving each other, very excited.
[00:01:12] And then Ash Carter very responsibly says, Hey, but who's going to take care of these vulnerabilities that you've now identified? And that's how DC3 was tapped to stand up the first federal VDP program. So it was completely new, very innovative. It was something that was happening in the public sector, but not happening in the federal government.
[00:01:37] So fast forward, uh, almost eight years later. And so we are still going strong. We sort of thought there was a joke in the beginning that we're going to work ourselves out of a job, we're going to clean everything up, and we're just not going to be here anymore. But of course that didn't happen. Like I said, we are not paying out monetarily to the researcher community.
[00:01:57] It's actually what, what we give our reputation points, and those reputation points allow them to climb the leaderboards. of their prospective companies, and then get invited to those lucrative bug bounty events. We work with HackerOne, we've been a HackerOne house since our inception in 2016.
[00:02:17] Well, we didn't totally start it with them initially. We were kind of old school with, Excel files and emails. Uh, but, but we, uh, began with them, uh, HackerOne and then, uh, From that time, we have also built out our systems so that we can work with the top three, HackerOne, BugCrowd, or SYNAC, as we need to for any bug bounty events that we might be running.
[00:02:41] Now, how it's different from a pin test. Let me touch on that for a moment. In PIN testing, for one thing, you might give, the researcher some information. You may maybe give them a little bit of details or give them some access. And we don't do that for VDPs. They are using the true PIN.
[00:03:00] emulation of what an adversary would do. So we are working with publicly accessible information and they are just coming at us all day long, um, trying to get in, to break in and find any weak spots, and then they notify us about those to be remediated. And that's really the true goodness of having a VDP.
[00:03:24] With pen testing, you might actually go in, pivot. You know, XFIL, some data, all these other things. I like to say that it's like you pay me to watch your house while you're on vacation, and I come, I jiggle the doorknob, I open the door, and I go, Hey, are you home? Uh, you know, but I don't come in and rifle through your jewelries.
[00:03:45] Uh, I just kind of, you know, in, in VDP land, I just sort of close the door and I call you and I say, Hey, uh, there's a problem here, your door's open. And, and that's really more of a VDP than a pen test.
[00:03:57] Blake: No, that's an interesting distinction. Yeah. You only want to go so far and then stop and be like, okay, let's fix this and then, then talk. Right. but I, I imagined running a vulnerability disclosure program for an organization like the department of defense, hello, is huge. So can you tell us a little bit about your day to day? What's what that's like?
[00:04:16] Melissa: Absolutely. Yeah. Uh, I'll just tell you that cybersecurity is a team sport, so it is certainly not just me. It, you know, I have a great team behind me of dedicated vulnerability analysts. Like I said, we are working with, um, HackerOne's, um, Nearly 2 million researchers that are out there, and so a VDP also is different in a bug bounty in the way that it's open to everyone who has an account at HackerOne. It's not a private invitation. So the good news of that is that in the nearly eight years, we've had over 53, 000 reports that come into us, and we're able to take those triage, our internal team, then triages, validates those reports against any of the, the DODs, like STIGs or, you know, security reference group, you know, the 800, 171s, all of that.
[00:05:17] We look at it against that lens. And then if it is validated that yes, this is a real vulnerability, we toss it over the fence to our SME team at Joint Force Headquarters, Doden. And then they have the teeth and the muscle and they, Put that tasking order together, find the system owner and send it through our Vulnerability Report Management Network, VRMN, which we lovingly call VRMN, uh, and they send it through our VRMN network.
[00:05:47] Yep.
[00:05:48] Blake: Right.
[00:05:49] Melissa: VRMN network. And so that's our cradle to grave tracking system up on the high side that, uh, that the researchers, um, work with. Their information will be fed into, and then the system owners can get all of the information. They can ask us for RFIs at any point, more, uh, reference information if they need it.
[00:06:09] But, um, but then they will do the fix action. It comes back to us and we, the real important part is we revalidate those fixed actions. We make sure that they're 100 percent remediated before we will close any reports. If it's not, fine, you know, no problem. Rinse, repeat. We'll give you more information.
[00:06:29] We'll get it done. But, uh, and I can tell you that, uh, of those 53, 000 reports, we're at about 56 percent year over year that are actionable. So that's, we're closing in on 30, 000 reports that have been remediated in that, uh, seven, seven and a half year time frame.
[00:06:48] Blake: Fixing those vulnerabilities just like ousting vermin from your home, I guess. Uh, something, some sort of analogy to be made there, I guess. I was interested to see that Cybersecurity and Infrastructure Security Agency, CISA, unveiled this Product Security Bad Practices document recently. Now, I know that CISA doesn't dictate policy for the DoD sector.
[00:07:07] It's a bit of a different animal. But I do think this kind of secure by design push and this really calling out organization's failure to actually publish any sort of vulnerability disclosure policy as just a general bad practice. Again, I know CISA may not be completely apples to apples with DoD, but, how do you view that establishing a VDP as a cybersecurity practice?
[00:07:30] Melissa: Well, it's really a good question because I can tell you over that time frame of the seven and a half to eight years, really what has happened is VDPs have been accepted by the government as a reliable source of protection. OMBs, I think it was the 20 32, uh, really says that VDPs are an economical way of And a reliable way to, um, help protect entities.
[00:08:00] So it's so much so, honestly, that we looked at it and we said, Hey, do you think that there's an ability for us to take the magic we've been doing for the DOD and would that same success work for the defense industrial base? They have, of course, the public sector, but they're not in the DOD space.
[00:08:21] So there is that, that gap there. So we looked at it. We did a one year pilot with the Defense Industrial Base. We thought we would, uh, we did a feasibility study with SEI Carnegie Mellon. We looked at, how many companies might we do in the pilot. We thought, oh, maybe 20 companies. They'll voluntarily do.
[00:08:41] Go through this process. We partnered up with two entities within DC3, our DICE program, which works with the Defense Industrial Base, and then also Defense Counterintelligence and Security Agency, DCSA. So between the three of us, we come together and we decided that we would put this out for one year from 2021 to 2022 in April, and we thought we'd invite, you know, 20 companies to volunteer.
[00:09:12] And by the end of it, we had 41 companies, so, um, there was definitely an impetus to us that, yeah, uh, the industry recognizes that they need something like this. We focus on small to medium sized companies. We felt that they were the ones that most needed this help and the identification, so they put their publicly accessible.
[00:09:36] Assets out there and our research community, our hackers, our crowdsource ethical hackers were able to go after and find 403 actionable reports for them. Now, you know, it's hard to estimate sometimes what. That does a data breach cost, but if you kind of Google it, you'll come up with IBM's number, maybe. Currently I think it's at like either 4. 3 or 4. 5 million dollars per data breach. But even if,
[00:10:06] Blake: oh yeah, it's definitely, it's been in the millions for
[00:10:08] Melissa: For a long time, right? And so it's, it's that ounce of prevention is worth a pound of cure. Uh, so being able to protect these companies and keep them left of boom is so much more important than, just having to try to fix everything after the fact, try to clean it all up.
[00:10:28] It's, it's going to cost them a lot less and it costs the federal government less to be able to do this. Uh, so, so yeah, very successful program, uh, for the pilot and we're proud to announce on the 3rd of June, it became a bona fide. Program. So we are now, um, offering the Defense Industrial Base Vulnerability Disclosure Program, uh, to any DIB companies that want to volunteer at, uh, no fee.
[00:10:55] Blake: Well, you heard it here, hopefully not first, but you heard it here as well, so if you want to join that program, it's officially established. And yeah, your point about it being a more proactive stance, that is so well taken because, yeah, you don't want to be constantly scrambling just to respond. You got to be out there opening these networks up a little bit, but, you know, that said, I imagine that that's easier said than done in a, in a culture, potentially, like the DoD. I'd be curious to hear how attitudes have shifted during your tenure with the organization and how things have changed over the years.
[00:11:26] Melissa: In the beginning of Hack the Pentagon, I imagine, I totally imagine, uh, that there was a lot of incredulousness, uh, happening when, when Ash Carter says, Hey, I'm going to invite some hackers in today and they're going to attack the Pentagon. I can tell you that I've probably
[00:11:44] Blake: Well, Hack the Pentagon, the name doesn't help that much, right? Like, Hack the Pentagon sounds so intense. It's like, wow, you're really going to go in there and hack the Pentagon? That's what we
[00:11:53] Melissa: Absolutely, absolutely. So, but it, but it does, that, that's really what they needed. They needed to shake that up, right? They needed to be in your face about it. So, the same is true for us. It's, uh, looking at this, a lot of times, the government, uh, Is a little slower. Let's say maybe a little slower at adoption rate, but over this time
[00:12:18] Blake: You said it.
[00:12:18] Melissa: little bit, a little bit, just a little bit.
[00:12:20] But I can tell you, you know, again, back to CISA, their, uh, binding operational directive 20 01, to have a organizations and other federal agencies open up VDPs, like, like I said, we were the first federal, we're still the world's largest, but through the adoption of other VDPs and other protection vehicles out there, we really are just looking at a whole of government.
[00:12:47] How can we shore up any leaks that might be forming? And so. It's, it's bigger than just DOD, it, it does have to go out to the private industry and, and it, the thing that I would, uh, maybe put out there is that it's not a checkbox compliance thing. It's not just enough to, to make a mailbox and, and have them send in, some reports to you.
[00:13:12] You have to have that back end that I described. You have to have someone who is going to track that down and in a very timely manner, make sure that those things are remediated. We use the Common Vulnerability Scoring System, and that's pretty, pretty basic through the industry. But the CVSS scoring gives you how severe that finding is.
[00:13:35] So if it's critical and high, you have seven days to fix it. If it's a medium, you're going to, you're going to have seven days. Up to 21 days, and we give you a whopping 60 days for a low level finding. So, these are not slow processes. You have to be on it and get those remediated and revalidate and test for that remediation.
[00:13:55] And so that's really what you need to have in a proper VDP.
[00:14:01] Blake: And for people who are thinking, wow, seven days, that sounds like a long time. I happen to know, I think the industry average in the private sector for remediating even a critical vulnerability is something in the like 50 day range. So it's like, that's actually still pretty quick. I mean, maybe there's always room to get faster, but that's pretty quick as far as these things go.
[00:14:21] The OMB 20 32, good memory by the way, I was, I was Googling that myself on the side here. And, the White House back in 2020, issuing this memo on improving vulnerability identification, management and remediation. So you talk about the shifting views and the desire to actually, you know, get to a place of action on this.
[00:14:39] And it has been several years of really beating the drum and getting, getting everybody on board. Now with some of this information you're uncovering, as I understand it, you know, DC3 is a, is a federal cyber center, kind of disseminating a lot of information, getting the word out on some of these vulnerabilities and other items.
[00:14:57] What is the flow of information like for you? What are you really pushing out to, we heard a little bit about the defense industrial base. What about other federal agencies, the DOD, how does that information flow work from DC3?
[00:15:08] Melissa: Great question. And just keep in mind that the VDP is only one directorate within the DOD Cybercrime Center. So, our mission as one of the federal cyber centers is to deliver innovative capabilities and expertise that enables and informs law enforcement, cyber security, and our national security partners.
[00:15:30] And so that could be, foreign, I work a lot with Five Eye, partners as well for their vulnerability standards. We also work very purposefully forging and strengthening deliberate partnerships, throughout. And so, uh, we want to look at relationships with, of course, other defense agencies, interagencies, like I mentioned with the DIBVDP, private sector.
[00:16:02] So basically it is a broad range between our cyber forensics laboratory. We do a lot of support and sharing for investigative purposes. We came out of Air Force OSI, and so DC 3 is aligned in the Air Force. That often surprises people, but we are in the Air Force. And we are aligned under the Inspector General, the TIG of the Air Force.
[00:16:35] We are no longer strictly under Air Force OSI. In 2021, we became a Field Operations Agency, a FOA. So we're kind of aligned with them. But again, our entire background comes out of law enforcement and counterintelligence. So a lot of behind the scenes, you may not hear DC3 out in the news a lot. A lot of what we do is very important and we're working behind the scenes to support a lot of other organizations to do their work.
[00:17:10] Blake: And that spun out from under the OSI referring to the Air Force Office of Special Investigations. That does sound like something that you might, that might be doing some important behind the scenes work if you're, if you're talking about, maybe not being in the news, but still delivering some pretty, pretty important results.
[00:17:25] And, you know, to that end, the information side, if you really come across something that, say, is super sensitive, super critical, you're like, wow, we got to act on this, not in seven days, but like yesterday. Is there a proverbial red phone for a really urgent phone or some way to get the word out quickly about some of the more pressing matters?
[00:17:46] Melissa: Well, you just made me laugh on that one because it's not a proverbial red phone. I have a red phone on my desk and yes, it is for those matters. It is the literal red
[00:17:58] Blake: actual
[00:17:59] Melissa: actual, I call it my secret squirrel phone, but yeah, I, that's, that is the phone.
[00:18:05] Blake: I would, too. That's pretty cool, honestly, to just have a red phone. Now I want a
[00:18:09] Melissa: there you go. I have it next to my red swingline stapler, if you know that reference.
[00:18:13] Blake: Oh, I do, I do.
[00:18:16] Melissa: but yes, uh,
[00:18:17] Blake: I won't take it. I won't
[00:18:18] Melissa: want to take that one? Okay. Uh, but yes, it, it, we do have the red phone. So there are certainly times, there was one last week that I can't talk about where I was, I happened to be at the Fort and I was briefing the J Dub, which is the joint director's update briefing. You know, for the J3, uh, talking about what's going on in the world.
[00:18:38] And I had to rush back to the office and go talk to another group within our organization and say, are you aware of this? Are we doing this? What's happening? So yes, we do use the red phone and certainly, uh, being the VDP and having it out there, a lot of times, it's so well known, but people don't know what What do we send to you?
[00:19:00] So we do get a lot of things that are not within our scope, let's say. It doesn't go to us, but we always make a very concerted effort. We take everything seriously that comes to us and we, we will VFR that over to the right, the right owner to get things taken care of. I can tell you one that, you know, one story I can talk about is Log 4J.
[00:19:24] Remember Log 4J? It happened right before Christmas. I had just put in for like two weeks of leave and here, boom, it drops, right? Yeah. Of
[00:19:34] Blake: course, of course, they always, they always hit over the holidays, the worst ones, it seems.
[00:19:38] Melissa: But log4j, we were, it was, it was good because we were able to then confer with some of those other groups within DC3. So one group that we have is the Operation Enablement Directorate.
[00:19:50] They are so well versed, they are, counterintelligence Analysts, they have native language speakers for all of those countries that we care about. and so they're always getting the behind the scenes. We have, of course, like I mentioned, our cyber forensics laboratory. so they're always diving in and, and getting to the root of things.
[00:20:10] And of course, our, DIB services division. Which is working with any voluntary or mandatory defense, industrial based, reporting environment. So if there is an incident response, VDP is kind of a weird animal because we are left of boom, we are pre-incident. But the rest of the, the crime center is.
[00:20:32] It's always looking for that indicator of compromise. Good news on the Log4J is that we were able, again, to pivot a a bug bounty that Defense Digital Service was running and so when Joint Force Headquarters Doden came to us and, uh, Skinner called and said, Hey, can we get a, can we get a bug bounty on this Log4J thing?
[00:20:54] We were able to stand that up and run that within two days. And these take about four months to put together, honestly, so this was an exception to the rule, but it was perfect because we were really able to get after it, have an inter, inter agency coordination and pull everyone in CISA, I think, did a lot of advertising about the Log4GA bug bounty, but it was very successful for us.
[00:21:20] Blake: And that was certainly one time when crying wolf was absolutely warranted. I saw a report recently from Datadog showing that log4shell exploits are still going around evading detection and compromising organizations today. What, two, three years later almost. Yeah, it's definitely two days.
[00:21:37] Good to jump on that right away and, uh, and get some of those threats mitigated. Now. We've made it this far in the conversation without talking about generative AI. So I have to broach the subject. It's, it's almost a mandatory, got to talk about AI at some point, but, but in all seriousness, I know the Department of Homeland Security warned in its most recent annual threat assessment that this technology quote, will have the unintended consequence of adding layers of complexity to the threats we face, end quote. I'd be curious to hear what the implications are for some of your work today.
[00:22:10] Melissa: Well I think it's one of those that we'll know when we know. We'll see it coming, but I think one of the areas that the federal government is really looking at, and I know the Air Force specifically, is is already looking at how we can leverage artificial intelligence and machine learning to enhance the activities that we're doing so that we're able to combat what comes our way.
[00:22:37] One of the things that we've built into and we're enhancing the defense, defense industrial base vulnerability disclosure with Microsoft Office Word MSWordDoc Word. Document. 8 is some of that front end AIML, work, so we're, we're using that to be able to Take that to scale. If there's an estimated 300, 000 DIB companies and we're looking at about 75 percent of them are small to mediums, well, how are we going to get from 41 companies to 300, 000 or anything close to that?
[00:23:10] We will never have enough. Federal employees on the roster to service all of that. So we have to look at ways that we can, can work with it. And part of that is going to be, of course, working with some artificial intelligence, being able to data sets that information and onboard, our customers in a very efficient, quick manner.
[00:23:34] So I'm sure generative AI is going to continue to, Morph and change. And I can tell you, we, we actually had a, um, I'm in, you know, working groups and other things, of course. But we had a women in tech working group, uh, just yesterday where we did a, an . upskilling day. And that was, our topic was AI.
[00:23:56] So we did an AI ML, working group. That was very fascinating. Learned a lot about quantum computing that I didn't know yesterday. So it was pretty fascinating.
[00:24:06] Blake: That sounds fascinating. And speaking of women in tech, you're a member of the women in cybersecurity group, uh, WSIS. What can you tell me about the need for groups like that and initiatives aimed at supporting women in security generally?
[00:24:19] Melissa: I think there's a, a, a, there's a need for all groups and it's not just supporting women and, and honestly, I think the motto of WSIS, if it, if you had Lynn Dorn on here right now, uh, she would tell you that we hope someday we don't have to call it women. We don't have to make that distinction. But for right now, we kind of do.
[00:24:39] Uh, so it, it, it is a, a wonderful organization. It's not just for women. But. They put on just amazing content. I've spoken at their conferences multiple times. I've been on group panels, things of that nature. So I highly recommend that group. I'm also in a lot of other groups. I'm in the AfSEA, another fabulous group, the Armed Forces Communications and Electronics Association International, it's a big one, so the AFSEA.
[00:25:11] InfoGuard with the FBI, that's a really nice one. I'm in two think tanks, the National Security Institute, NSIs, and a member group of Project Everest, and no, it has nothing to do necessarily about mountain climbing. But, but I, so that's, That's, that's what I would kind of say is that, yes, we definitely need not, not just the, the female only groups, but I would just say, if you're going to join the federal government, join every group you can find, you're going to meet some great people.
[00:25:44] You're, you're definitely going to be introduced to information that you didn't even know you needed.
[00:25:51] Blake: And how do, how do you work to attract and retain cyber talent on your own team?
[00:25:55] Melissa: I think one of the hard things, for the federal government that's, that's, they recognize and identify. But it is across the board in cyber security, it is difficult to retain that talent base. But what we find is that if we, we bring in internally to our group, if we bring in folks who have a background, maybe in IT, if they've done some help in IT.
[00:26:20] You know, that type of work, or they just have kind of a general understanding of the hardware and the software of a computer. What they love is that they can now come in with that base knowledge and we can train them up. We can teach them how to think like a hacker. And they need that, that knowledge, even to bring in those reports.
[00:26:46] Like I said, we validate, we triage. So we're not just kind of passing that through. Our team need to be very skilled at understanding does this proof of concept or POC, we call it, does that POC really work? And then when we see the fix actions, how do we know that it's truly remediated? And that just gives our team the ability to grow within.
[00:27:11] We have about a three tier level association there. So they're always out there doing capture the flags, you know, we'll get them in different hack, hack the box, hack, try, hack me's, you know, all these other types of organizational things where they're keeping their skills sharp and they're learning not even from, you know, just in that environment, but we have weekly tech talks.
[00:27:35] We will host Tech Talks with CISA's tech teams. Across the board, it's a, it's a small world, honestly, in this arena, but we all know each other. We all have respect for one another, and you can always learn something, something new. We had talked offline about, you know, going to Hacker Summer Camp, going out to Black Hat, DEF CON, you know, all of these conferences, and so it, it is a small community.
[00:28:02] We know each other, but you can always learn something else. There's always something new to learn.
[00:28:07] Blake: Absolutely. No, and it is something that's certainly appealed to me as well on the cybersecurity community side of, I think there is this sense of rising tide lifts all boats, people in it together for some of the same mission sets, that being said, you obviously work with a very particular mission, critical defense oriented mission set, and you've spent a good part of your career with the DOD and the US Air Force.
[00:28:29] To say nothing of the cyber community, these are some pretty big bureaucracies in their own regard. So what's something that you wish you would have known on day one, heading into, to DoD to achieve some of the best security outcomes for our nation?
[00:28:41] Melissa: That's a wonderful question. And yes, I have, I think you put it to me. Uh, I've spent a decade and a half with IT and security for the federal government, but that's only really my federal government. I've, I've literally spent about four decades at this point, in IT and different various roles. But one of the things I came into the federal government in 2009, when they were doing SMEs, I was at General Electric's aviation division, and they're running their global, repair technology center, so teams all over the world doing, you know, again, aircraft engine problems. So coming into the federal government, I I didn't really know much about working for the government, but I was recruited in, I would say the very first thing that I should have known or should have understood that I did not, is that, It takes so many people working together in tandem to get things accomplished.
[00:29:44] So, start with relationship building, that is so important. Join interagency working groups. Join those professional associations, join a think tank, you know, join things that are going to challenge your thought processes and challenge your beliefs and get you to meet other people because remember their career is growing as well.
[00:30:09] Remember that, you don't know who's going to be the next general or, you know, people are going to get promoted there. So meet everybody you can, really, really focus on that relationship. building. WESAs, uh, FCA, all of these different things. Also, I would, I would say that when you go out and take training someplace, really focus on your cohort, get to know your cohort that's there with you.
[00:30:35] I was fortunate enough over COVID to be able to take some of the Harvard Kennedy School courses, because they were available online and they were like a third of the price. So I'm like, Ooh, I can get this done. So it was just, I took a lot of great courses, but one that stood out was, Dr. Jennifer Werner's Leadership Development Decision Making. So that is just a fabulous course. And my cohort in that, there were so many books introduced to us, and we thought we're never going to get through all these books, that five of us came together and created a Harvard Kennedy School Leadership Decision Making book club.
[00:31:14] And so we meet once a month, we have a LinkedIn book club, we, and so we have folks from Germany and Australia the group has grown, I don't even know how many members we have now, but it's the highlight of my month is that we all get together for an hour and, and this also forces us to read the book cover to cover, because we're going to have to show up and discuss it.
[00:31:36] So we will take little chapters at a time, a few chapters, we're all very busy, we will do it, and we, we, we get a chance to talk about how, how are we leveraging this information and putting it towards our careers, and so really think about relationship building.
[00:31:52] Blake: Well, to say nothing of the impressive Harvard connection there, I'm just impressed that you're one of the few people I've spoken to who's, you know, Started a pandemic era book club and managed to stick with it all this time because, maybe speaking from personal experience, some book clubs kind of trail off after the pandemic kind of wound down a little bit.
[00:32:08] But, finally, this is something that we ask of all our guests in the podcast. What's something that we wouldn't know about you, just by looking at your LinkedIn profile or hearing about your book club?
[00:32:17] Melissa: I would say that people probably don't understand that I am severely an introvert. You see me out there talking all the time, at all these different places, but I am, um, I have a lot of social anxiety and I'm an introvert. So you might see me out and about and then I will go hide at home and recover from, from that.
[00:32:42] I'm an introvert who plays an extrovert on TV. So that's, that's kind of how I look at it.
[00:32:49] Blake: Well, I really appreciate you playing the extrovert on the podcast here. Some great perspectives. I'm sure our listeners will appreciate your insights as well. So thanks for joining us and, great conversation,
[00:32:58] Melissa.
[00:32:59] Melissa: Thank you so much, Blake.