Artwork for podcast Privacy Pros Podcast
How To Stand Out And Succeed In Data Security
Episode 3228th June 2022 • Privacy Pros Podcast • The King of Data Protection - Jamal Ahmed
00:00:00 00:45:50

Share Episode

Shownotes

Get inside knowledge into the world of Data Security from a Leading Privacy Expert!

Hi, my name is Jamal Ahmed and I'd like to invite you to listen to this special episode of the #1 ranked Data Privacy podcast.

In this episode you’ll discover:

  • The Most Common and Costly Mistakes To Avoid In Data Security
  • How to successfully implement Security Programmes and encrypt data
  • What you need to stand out in the hiring process
  • And the possibility of a Federal Privacy Law in the US!

Ready to become a World Class Privacy Expert? Book your call to join the World's Leading Privacy Program

Jeff Sizemore, Vice President of Governance and Compliance at Egnyte, is responsible for the strategy and execution of the Egnyte Protect content governance solution.

Jeff has an extensive background in data protection, specifically in encryption, key management, data loss prevention, and identity and access management. Jeff has helped define the market by contributing to several start-ups, including PGP (now part of Symantec), Ionic Security, and Port Authority (now ForcePoint DLP). 

Listen Now...

Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/

Connect with Jeff on LinkedIn: https://www.linkedin.com/in/jeffsizemore/

Subscribe to the Privacy Pros Academy YouTube Channel: https://www.youtube.com/c/PrivacyPros

Transcripts

Intro:

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Intro:

Welcome to the Privacy Pros Academy podcast by Kazient Privacy experts. The podcast to launch progress and excel your career as a privacy pro.

Intro:

Hear about the latest news and developments in the world of privacy.

Intro:

Discover fascinating insights from leading global privacy.

Intro:

Professionals, and hear real stories and top tips from the people who have been where you want to get to.

Intro:

We're an official IAPP training partner.

Intro:

We've trained people in over 137 countries and counting.

Intro:

So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.

Jamilla:

Hi everyone, and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. With me today is my co-host, Jamal Ahmed, who is a Fellow of Information Privacy and CEO at Kazient Privacy Experts. He is a revered global privacy thought leader, world class trainer, and published author for publications such as Thompson Reuters, the Independent, Euro News, as well as numerous industry publications. Welcome, Jamal.

Jamal:

Hi, Jamilla. Good morning. Good afternoon. Good evening.

Jamilla:

And I will introduce our guest. Our guest today is Jeff Sizemore, who is the Chief Governance Officer at Egnyte, and he is responsible for the strategy and execution of the Egnyte Protect content governance solution. Jeff has an extensive background in data protection, specifically in encryption, key management, data loss prevention, and identity and access management. He has helped define the market by contributing to several startups, including PGP (now part of Symantec), Ionic Security, and Port Authority (now ForcePoint DLP). Welcome, Jeff.

Jeff:

Thank you. I'm so excited to be here.

Jamilla:

No, thank you for joining us. As always, we start off with an ice breaker question. What is your favourite holiday?

Jeff:

Definitely Christmas. No question about it. We have children. It's amazing to see them under the tree that day and see what they're see them excited, spend a week with them.

Jamal:

What's your favourite holiday?

Jamilla:

I like random bank holidays that we get in, like, August, because now you're an adult, you don't get school holidays anymore. You're not off for six weeks in the summer. So it's nice to have a little bit of a break. So I like a random bank holiday.

Jamal:

sand years old today or she's:

Jamal:

Yeah.

Jamal:

Because everyone gets really excited and you can see it feels like there's really good spirit around. So I really like those ones.

Jamilla:

Right, let's get into the questions. Jeff, could you tell us a little bit more about Ignite, what the company does?

Jeff:

Yeah, absolutely. So Egnyte really does two things it's known traditionally as a cloud-based file server, its one of the first ones in the market. It's been doing that for some time. About four years ago, some folks came to me and said, hey, we really want to take security seriously. We want to move forward. We get a lot of questions about this. Let's evolve. So about four years ago, I came over here to help build out the governance practice and what we do. So we built that out and now if you look at the business, we're actually more governance heavy than we are file server four years later from the business and doing quite well and scheduled IPO next year. So the business is great. And honestly, it's been a great ride. When you look at File survey, they did such a great job, I think that was great but what I really loved about the opportunity in our world in security and governance, often we have to try to find our way to fix a problem and reverse engineer something. But when you can own the file server and own the capabilities, you can build and embed privacy in there, you can embed zero trust models into the way that we work and not try to reverse engineer those. So it's just been really great to have and be able to provide a solution for those leads, for those large organizations to embed this the way that it should be. Instead of saying, hey, let me sell somebody to go buy something from somebody else, right? Let's bring this together and make this so people can solve these problems. And I think the more achievable people, right, I don't want just the city banks to solve this problem. I want my lawyers to solve this problem. I want my accountants to solve this problem. We want everyone to. And to do that, you've got to get to a more repeatable motion. You got to try to drive new solutions and strategies to help these folks come along. So it's really great opportunity and it's really been fun and just great to see so many people started to really come forward and really trying to do the right thing. So it's wonderful.

Jamal:

Yeah, that's great. I really love that and I resonate with that. And one of the reasons why I started the consultancy case Kazient Privacy Experts, was because we saw that small and medium sized businesses, those are not large enterprises, didn't have access to that same quality of service and the same quality of solutions. And to hear you saying Egynte is all about bringing in security and making it accessible for all businesses, that really resonates with me. And I'm so happy and excited to hear that. The other thing I'm really keen to understand is you said you're looking to IPO next year. That must be such an exciting time in the business. Tell me, what's it actually like being part of a business about to IPO?

Jeff:

Yes, it's funny. I've done a couple of them now, and I did Anderson felt that was a huge organization, obviously, to venture. That one was really quite big, but this one is just interesting to see how this works and the requirements and things, you have to start building for early. Right. The way that you have to project to your number the way that you have to build your back office and make those investments and things that you need to get there. It is, make no mistake, it is a huge back-office push that you've got to do to address automation, to scale and to measure the right margins, the right services. Everybody's looking at every dot and making sure that you're getting exactly what you need to do. So it's not necessarily a restructure, but you're definitely trying to scale as fast as you humanly can and scale in a repeatable methodology that you can continue to run. Because once you get IPO, there's no going back. You can't go and restructure. You can't do those things right. You got a number to hit. You got to run your business every quarter. So you got to really pump through this at the beginning and get through this kind of opportunity to optimize, because it's hard to have those opportunities again once you're publicly traded.

Jamal:

Yeah, it sounds like an amazing environment to be working in right now.

Jeff:

It's a lot of fun and it's just a lot of fun helping these customers start to think about these things. And it's been great. I mean, over the last couple of years, just seeing CMMC and all these rules coming into play, all these new regulations, privacy coming in. It's just such a forefront thing now that it should have been forever. And it's just so great to see so many people actually thinking about this now on the board level and working with it. So 5,10 years go, we're talking about privacy or even 20 years ago, and as a PGP, you were like the smart guy in the corner that nobody wants to talk to. Nowadays, when you talk about it, it's a prime topic for everybody. It's on everyone's mind and everybody's moving forward. And it's getting the attention that it should. I'm not sure it's getting the full budget that it should just yet, but it's definitely getting the attention, which is a start.

Jamal:

All right, so you mentioned a lot about Egnyte and security. The question we have for you is why is privacy so important to you?

Jeff:

Well, privacy for me is where it all started and really my whole goal. And when I think about security, I think about enterprise privacy, and then I think about consumer privacy, and I think about crypto. I think I'm making sure the data is owned by the enterprise. They can manage that. When I think about the consumer, it's a right, this is information, it's data about us when we're coming and going. The only thing we've left in the organization is the data. And that data should be protected as an asset, and it should also be minimized as a liability. And we have to do a much better job as we become data driven businesses, and we can't build these businesses on the back of our consumers data. It's wrong. It's not the right thing to do from a trust perspective. It's just that people aren't the products here, right? They shouldn't be and it's just the things that are happening right now and things that have been happening over the years is absurd with what people are doing. And it's a passion. It always has been, it probably always will be. It's got to continue to get fixed. It's a human right, and it's your right to if I want to sell you my data, that's my choice. You don't have a right to take my data.

Jamal:

That's super interesting. And hearing that from somebody that's not based in Europe to see and recognize as a private right is also super fascinating. How do you feel about the lack of progress we see in the states when it comes to a federal privacy law?

Jeff:

It's so challenging here because of the confusion. I think the bigger part of this is you're getting into politics between red states and blue states and what they think of and how they look at it. It's just unfortunate that we're not doing this as a federal right. I mean, we have these laws that should be across every border because the data is crossing every border, right? It's not like I can say, keep the data in Illinois, it's not going to happen. I can't say, keep it in California, it's not going to happen. It's a federal issue, and it's confusing for people, right? I mean, when you go there and you say, solve this privacy problem. But here's what Nevada looks like compared to Colorado, Colorado to California. It's like a spaghetti of laws, right? You're just trying to put this together and do the best that you can do and trying to really meet these requirements. But it's really hard, and it's hard to understand what's in scope, what's out of scope. And I think the bigger part of it is most of them don't have teeth, right? California is really coming now with CPRA, so they're getting this thing happening, so they're going to have an oversight group. But a lot of it, you see, we're still not seeing the teeth that you guys are starting to see with GDPR over there.

Jamal:

Thank you. And Jeff, a lot of our audience is listening, and they're really interested in a career in data privacy and really taking a career to the next level. And security is something that they might not be not so diverse in compared to the privacy knowledge. So can you just help us break down some of these security concepts? For example, when we're talking about key management, what is that specifically.

Jeff:

Yeah. When you think about key management, it becomes really interesting because of how you build keys and how you structure. I think you encrypt something with a unique key and you can control that piece of data 100%, whether that data is on or off through the key. But the way you do key management is it a single key per file that's unique that means that I now have revocation of one file, particularly, I can control it, but I have all the screen to our management rotation of it. But ultimately, the key kind of defines the policies. Right. Hey and the hardest part about encryption, to be quite frank, is the keys are the keys, and you got to be able to rotate, you got to be able to screen them, make sure that the keys are the customers keys. It's your keys. It's not my keys. I can use them. You can shut my service off the way you want with your keys maintains control, and anyone using any cloud product, in my opinion, should really be doing it with their own key management system. Right. There's no question they should have the right, if they don't trust that cloud vendor to turn on and off again. And I think some people are doing that and then they're starting to work through there. But when you look at encryption, I think some of the hardest problems that we are dealing with are when to encrypt and how to decrypt under what context, encryption really does follow a standard. Right. You're going to go FIPS 142, you're going to follow the standards, but if you encrypt too early, you break things and you think about, like, a consumer privacy. If I encrypt information I stored on the server, you no longer are going to scan that server, you're not going to scan that file. I can't maintain that consumer privacy. So if I were to encrypt it, say, on the way out of the environment, and I were to encrypt it there and it's clear it's in my environment, the way that normally what I can scan and do things I do and find the privacy, you're in a good place. So one of the biggest challenges you have with encryption is how do you actually do this without breaking things like consumer privacy or consumer compliance, right. And being able to go and find this data. So you have to encrypt on the way out. And then when you go to decrypt, you have to make sure you're doing it for the right reasons, like, hey, you know what? You're not in the UK, so you can't open this file. We're not going to open it. Right. We're not going to give you the key. But there are other things that we think about how we do it. But an amazing opportunity of what we're seeing with key management and homework concepts happening now, where, hey, you're going to be able to encrypt and still read files while it's encrypted. These things are starting to happen. So when we get a little further, this is going to be pretty amazing to see all the data encrypted all the time, but we're not really there yet. But I definitely think key management is a big issue for us because of the way you think about key rotation. You start to think about quantum computing coming in, how do you replace these keys? And you got to think about key performance, right? If it's every file in the company's getting unique key, how do you manage that? Where does that sit? Where does it live? And how fast that key management system to create those 100,000 keys a minute, whatever that might be.

Jamal:

All right, thank you. Thank you for explaining that, breaking it down a little more. And the way I like to think about encryption key management, and this is the way I kind of explain it to the guys at the Privacy Pros Academy is imagine you've got a big, massive house, and within each house, you have a room. And to get into the house, first of all, you need a key. And you might have one key to get into the house, and everyone might have a copy of the key. So you can all get into the house. But to get into specific rooms, you will all be assigned a key based on the information of the valuables in that room and whether you need to have access to it or not. And sometimes some of these rooms might have information that is super valuable. So instead of just having one key to get in, you might need two keys to get in. And you will have one key and someone else will have another key. And then the challenge really becomes, as you said, in making sure that the management of that is actually efficient and effective. And we are not having too many keys and we're not encrypting them just for the sake of it by encrypting it on the way out or making sure that it's done appropriately, trying to protect both the security and the privacy. What are some of the mistakes you see privacy professionals making when it comes to security and privacy?

Jeff:

policy or one capability and:

Jamal:

Yeah, that's super useful insights. Thank you so very much for sharing those valuable insights.

Jeff:

Yeah, of course. It's the first part of these programs is just people got to see the data, know that they need to be part of the solution and they've got to start becoming more aware that this isn't you pick up some rug and hey, here's some magical data on here. It doesn't work that way. You got to protect, you know, what's going on.

Jamilla:

Just a quick question, going back to the key management and the analogy that Jamal referred to. When we're encrypting data, are we encrypting the key or we encrypting what is for example, in the room of the house?

Jeff:

In some cases both, depending on how you're going to transmit the key. Right. So if you have a piece of information, you're going to have a key associated to that. But to get that when somebody is going to go request that key, you may be sending that key in an encrypted packet itself and then decrypting so the key is available so that if it's not intercepted in something like an SSL or using something of that nature. So ultimately in transit, that key should be encrypted and then when it's delivered, it's used to decrypt the content, it's destroyed in memory and the next time you save the file you get a new key. But that key should be encrypted in transit unless you don't have to. If you trust SSL, then great. I guess you don't, but generally speaking you should.

Jamilla:

Interesting.

Jamal:

All right, can you tell us a little bit more about where you think the encryption sector is right now and where you think it's heading?

Jeff:

Yeah, well, I mean we hear everything with zero trust right now, right? That's everywhere. And everything we're doing is making these decisions but I think that a lot of information obviously is encrypted everywhere in these environments now, which is wonderful, but there are a lot of opportunities as we start to continue to evolve and make encryption a better part of our life. And I think we're going to start seeing all sensitive data being encrypted to the organization very shortly. So on the desktop, it's going to be there with that additional recovery mechanism they might have. So in the future, we're going to start seeing all of the sensitive data, the PII and cyber data being encrypted to a key, living within the infrastructure that it would be. And that key in theory, should be marked as it's there because that file has PII. So you think about a file being encrypted and metadata saying this has PII and this is why it's encrypted. That is the world we're moving to. As soon as we get better context of the data, better understanding, you'll continue to see this and then we'll start making better decisions based on things like third party suppliers. How much do we trust this third-party supplier? Can they decrypt these files to pay back to them? No, they're higher supplier, they've had a breach. No, you don't get the decryption key. So it's definitely going to be the enforcement of the high value data and how we share this moving forward. It's just this evolution of how we continue to operationalize it in the environments.

Jamal:

Yeah, that sounds like ideal solution for where we want to get to. Sometimes I worry about if it's a little bit of overkill just because the metadata said the file has PII, do we really need to encrypt all that data? And it's going to be really interesting when we have to create policies for businesses to understand at what level and which kind of PII they're actually going to start encrypting to that level and which ones they won't be. So I can see lots of interesting challenges privacy professionals and security professional models are going to have to overcome moving forward. On that note, what do you look for when you're hiring someone in the data privacy field?

Jeff:

Yeah, well, I mean, first off, we're always looking for making sure these folks are certified. They have there, they went through this before, they've done work and things like rediscovery and data privacy fields is somewhat new. Right. We're starting to see these DPOs come in. Some of them are more I see more in the legal side of the house, we see them there. But I try to find folks that really understand that have been in the audit positions that have understood this and understand the controls. Because often if you don't understand the technologies, then you may commit to something that's not achievable from an audit perspective or compliance. When you commit and say, we will protect all of this information this way, and then you start to work with your engineers, like that's not really possible. We can't really do that. So often. I see kind of, I prefer more of engineers that have went through the audit phase that it went up there, and now they're really working at DPO phase because they tend to, for me anyway, especially being a product company, to make sure of how do we implement effectively in the organization. The policies and procedures that are there are somewhat standardized in the world. I mean, you continue to have to do this, but the techniques actually to be effective, and to roll the stuff out is key.

Jamal:

Yeah. I hear exactly what you're saying. And I think this is a struggle sometimes. And this is something we're trying to overcome in the academy. Is there are lots of certified individuals but just because somebody has the actual theory and they've been managed to pass ninety questions to hit an exam and show you that piece of paper. When you start talking to them, when you bring them in and you make a mistake of actually hiring them you realize that they don't actually understand how this applies operationally. And it can become really frustrating for businesses, for recruiters and for hiring managers. And so one of the things that we're really keen on at the academy is making sure that self study is great, looking at past exams is fine, but it's not really going to help you to have a thriving career in data protection and data privacy. It's not going to help you to solve the challenges that you want businesses to hire you to solve, because you have to understand the practical application for that. And the best way to understand, get that practical application is to go and learn with mentors. Go and learn with people who have been doing this day in, day out, who know what the challenges look like, who can share these stories so you can really build on that experience that they have and really understand how it applies, and then go and get hired by companies looking for top talent and make an impactful difference and really thrive in your career. What do you have to say about that, Jeff?

Jeff:

I think it’s spot on, but there's no question. I mean, you go through the life cycle of this and working through this and actually working from beginning, and you start to understand those caveats in the organization and how it works and the things that you can and can't do, you have to prepare for with your lawyers. You're in, I don't know, financial services, right? You have to retain data for financial transactions. Well, you're dealing with privacy or delay. How do you handle this? How do you prepare for this? What date do you provide back on a consumer request? What don't you provide back? These are things that are just once you went through this and you understand this, then you can start to think quickly on how to do this, as opposed to you're learning on the fly and hoping you're doing the right thing. And there are a lot of those caveats, right? There are superseded laws that are telling you to do something different. There's geolocation issues, there's these data residence issues you have to consider. There's a lot to think about from an architecture, from where physical presence is. And you hear people say, data localization, right? Hey, the data should live in Europe. And people say, well, we are going to make sure this happened. And some people say, yes, our data centres are in Europe, and that's good, and that's where we're at. And our offices are in Europe. I've seen others that say, well, we want to make sure that if anybody were to leave Switzerland, the data will stay encrypted, and it won't decrypt until you come back over a Swiss IP address. Well, that sounds really amazing, but it also is pretty overkill and it's pretty hard to manage. Saying our employees will never leave the country, that's a good view of someone and where they've said they've taken such a hard angle at this, you're like, yeah, you could do it, but it's not functional, right? And I think those are the kind of things you have to look out for. And I think you have to, to your point, you have to mature over time, right. You got to get the investment and you just got to let this thing, hey, we're one, we're going to get to a two, we're going to let this program build and we're going to get to where we want to go. But doing it overnight and trying to slam it in, it's going to be a rough project.

Jamal:

Yeah. And I completely hear what you're saying. This is something that I find when I'm consulting, specifically clients struggle with is, in the GDPR we have the seven different principles of the GDPR. And one of the things I really make sure all my mentees master and really own from and get embedded in the DNA is the seven principles because you can't just think about one thing on its own. So for example, one of the principles is confidentiality and integrity. For us to have confidentiality integrity, we have to balance that against availability. And if the data is not available to the people who need it for doing the role, their task, their job, then there's no point having that confidentiality, that security, because it's useless. It goes against what the company is trying to achieve. It goes against the impact they're trying to make. And when you're talking about the fact that, okay, if anyone leaves the country, or if any of our team leaves the country, they're not going to have availability to the data because we want to think about the security, you're right, they have to balance both of those things and businesses often struggle with that. Have you got any kind of memorable stories where you've gone in and been able to solve based on some of those competing challenges, because it's not always straightforward to find those solutions.

Jeff:

Yeah, there's been a few. I'll tell you one that's kind of interesting to this point. I worked with a very important financial regulatory organization, and they went and said, hey, how do you help us secure our data? We need to maintain these laws. We have all these things happening, but we don't want to use encryption. Well, that's interesting. Why don't you want to use encryption? That's a pretty interesting statement. Well, we put together a great encryption program, and we found out because of our program, that our analysts for this market segment versus our analyst for this market segment couldn't see each other's work because of the crypto keys, because it was so isolated. And because of that, we couldn't see the data set properly as an organization because we couldn't see the data set properly. We missed major issues in the economy because we couldn't see each other, right? And so they're like, we have to figure out how do we create this environment that people can work and collaborate in a secure way and not be overly secure, where it limits the collaboration. And that's one of those cases. And I think often you see this a lot, where people come in and they say, we're going to turn on a DLP program, and we're going to start blocking. Like, well, do you understand your data? Do you understand how people work? There's a lot to say. Maybe you start with the trust and verify model for a while, and then you eventually get to your, I'm going to block model. I'm going to do this. And you should, because often when they do that, they turn on too soon, and it just completely corrupts the program because every executive is up in arms. They're blocked. They're trying to send that critical file. They can't do a thing, and they turned it on too soon. They didn't know their data. They didn't go through and do things the basic clean up, like Ras data and understand all the redundant information, to do the things they should do in the background as an organization. And they just immediately put this friction on their users, right? Like, we're going to start blocking you. You're going to label files five different ways, and you save it, and ultimately, you're not getting anywhere in the first place, when you could have looked at this data set as a whole and said, okay, let's understand information. Let's get rid of why do we have 47 copies of Social Security numbers on the same Social. Let's get rid of this with the same National Identifiers, and we're not doing our due diligence to take this pain away from them initially. There's so much more we can do to understand the data, to make minor changes in large data sets, to create a more secure and private environment, and eventually it's going to impact the users, but we should not be impacting these folks in day one with all the AI, all the ML. I don't need you to tell me if something is sensitive or not. I ought to be able to figure that out and I need to do it at scale because it's a lot of data because that model, it doesn't scale and it's very intrusive on the devices and it's very intrusive on the people. And generally because of this they never get out of basic monitoring mode and they can't progress their programs forward because they went and blocked before they understood the habits and the data.

Jamal:

Yeah, that's super interesting, super insightful. And it reminds me of a few nightmare client stories. Some of the challenges we see with clients is they would have gone with a consultancy or they hired some external resources or even they would have had an FTE or a whole team to come and make some of these changes. And what we see average and poor consultants doing is they will come in and they will apply some kind of a template approach that they've learned or they've discovered in other places and they're just trying to apply that to every single organization without taking the time to understand. All of those important things that you highlighted is the first thing you need to understand. And I think one of the things that has really helped us to be successful and that helps our students be successful is having that approach of before we come up with any ideas, before we come up with any suggestions and solutions, the first thing we need to do is understand what it is that you're actually doing. How are you using data and all of the intricacies and all of their processing activities once they understand that and understand why different parts of the business process it this way and who they need to communicate and what are the challenges of not being able to do these things. Only then can you really apply bespoke solutions and really help companies to protect their data. Protect their reputation. Protect the trust that's been entrusted to them. While at the same time helping them to cultivate that trust. Inspire that confidence and ultimately maximize their profit or their bottom line.

Jeff:

Yeah, you're spot on. It is absolutely the key and it's about giving insights and I think this is an opportunity we have in the industry now, which is when we start to learn this information, we don't really have good dashboards for people to help them be part of the solution. We haven't done this. You’re starting a company and it's like, hey, here's what you do with our data and by the way, we're going to monitor you because you're an employee and this is what we're going to do. And then you do something wrong and they're like, okay, you should have secured something, you should have done so. But ultimately we didn't do anything to provide clean dashboards and say, hey, here's the files you have access to. Here's the stuff that has sensitive data in there. Did you know these people have access to it? You know, it's in this nonsense repository. We recommend you do something about it. We haven't taken that push. It's been this whole, we're going to block you and then we have the shadow IT issue. Now we've got a problem, now we've got this. And ultimately it's because we didn't really engage with the users, because they understand now that this data is valuable and it's important to them, it's important their jobs, and you do the right thing. But there's a better way to do this than me taxing them to say, save something the right way versus me give you insights, to say, did you know that you have access to this environment? Maybe you should move this, maybe you should do something better. Let me explain it. You have to give them chance to be part of the solution because rising tides for data governance is what's going to lift all boats. This is not going to be solved by one person in the corner when we're trying to understand the value of data and the risk associated with the data, managing it on both sides of the fence.

Jamal:

Thank you so much for sharing those. It’s been a super valuable podcast. I think we're going to have to put a warning before we release this episode. Make sure you come with a pen and paper because you're going to want to make lots of notes. The good thing is people can pause and stop and they can listen to it over and over again. Jeff, you mentioned a couple of things. You mentioned DLP data loss prevention for those of you who are new to the acronym. And we spoke about people having access to that. And I want to talk about IAM so identity and access management here a little bit as well. Can you give us a bit of a breakdown on data loss prevention and how it can actually help businesses and why, if you haven't got this for your business already, you should start thinking about it.

Jeff:

Yeah, you absolutely have to have it because it's part of a date to me when I look at DLP in the past, ten years ago, I would have said it was the best program you could have. It was a great awareness program. It drove so much for the industry at the time. You looked at the data in shock and awe and you've seen everything and what you should do. Now you start to look, and I think the data loss prevention is a key part of any program. But when you try to think about what you really want to achieve, and I think you said it earlier, take the acronym off the table. And what is your goal here? If your goal is to prevent data, then how can you do this in the least intrusive way to the users and do this within their workflows that they're used to. And I think there's different approaches. You think about something like email, a lot of people today will say, we're going to send there's kind of two approaches. You can send an email out and something will trigger and say, oh, I see PII in this information, so it should be blocked or it should be encrypted, or we're going to send you a link and bring you back or do something. The reality is, you really start to ask yourself is, why is the data even in the email in the first place? Why are you even encrypting it? Why was it there? I mean, if 85% of Microsoft mailboxes have been compromised over the years, then would one look at that and say that that's a safe place to store PII data?

Jamal:

Absolutely, it's not.

Jeff:

And so you really have to step back and say, I realize what the vendors are telling us and what they're selling, but what am I really trying to do? What is my goal here? You look at your endpoint, it's just like we don't care about our endpoints. If we lost it on the bus or forgot it, nobody would care. I care about the data on the endpoint. I care that it's encrypted. It's the same. When you look at your data on that end point, you say, well, what does that mean? Well, first off, on an end point, I don't even know why we have ports on these things anymore. With the speeds that we have, there's no reason to use USB sticks or any of this stuff anymore. So logically, these machines can be so much simpler today. And how we look at it, you look at something like your my documents, or your data drive? It's really simple. We do this at our company, it's great. We take people's documents and we put them in a cloud based file, private folder, so that when we do scanning and we do all these things, we scan it from that repository so those endpoints don't feel this pain. They're backed up, they're covered for ransomware, all these great things. We find PII, we reflect that back down to the end point and say, look, removed it from here because it's PII. You're getting your legal holds and when you're going into your privacy request now, you can include the data from these endpoints and say, because otherwise it's really hard to come up and fulfil a privacy request in the set time that you have across all of your machines that are distributed all over the world, how do you do this and. And a lot of people say it's out of scope. If it's not out of scope for eDiscovery, then why would it be out of scope of privacy?

Jamal:

Yes, you're absolutely right. And this is the real challenge I see across clients, regardless of what size they are? How do you understand where all that PII is across all of your systems and across all of your offices and across all of your locations? But if you have a process just like you do in Place, where you actually have a central repository for all of that and you can identify where they are, then it becomes so much easier. And why should we say it matters when we want to understand what the business does? And it doesn't actually matter for the individual who is trying to look and understand the legality of what you're doing with their personal information, right?

Jeff:

That's right. It's trusting. And I look forward to the day that people start looking at organizations and they start to think about what they're filling out on like a website or they're starting to think about the organization. Do I trust this organization before I give them this data? How do I do it? One of these I do is kind of simple, and I'm sure you probably do these techniques as well, but I have a spammer gmail account and so if I go to a Target or something, I'll put it like Jeff. But instead of just saying@gmail.com I'll put the plus symbol that they offer plus Target@gmail.com. And a lot of people don't see that. And the reason why is because I want to see what they do with my data. Nobody's going to tell me until I start getting these emails in or this data in and I want to know what they're doing. And then that's the way you can start to define who you want to work with and who you can trust and who you can't because you can't figure out what they're going to do with your data when they say, we need your email for this coupon. You have no idea.

Jamal:

Yeah, and that is something I've been doing for some time. And it's really fascinating when you get an email from something or somewhere, and you’re like, hang on a minute, I've not got any relationship over here. But because you've added that plus sign before you've put the@gmail.com, you can see exactly who has handed out your personal information. And if you're listening to this podcast and you're not really sure what Jeff and I are discussing here. So when you have your email address so let's just say it's Jeffs@gmail.com, that's what you'd normally put in. But when you signing up something. When you're handing over your personal email address to somebody for the first time. What you can do is before the @ sign after Jeff, you can add a plus and then the name of the data controller. The name of the business. The name of the organization you're giving your information to. It's not going to affect you receiving the emails because the way it works is not going to pick that information up. But when it comes into your inbox, you can actually see if that information has been shared to somebody else. You know where the source of it is. And so many people complain about their phone numbers getting handed out, their email addresses getting handed out. And now you can actually do that investigation and see exactly who is going around handing your information out. And if they've told you they're going to do this, then great. And if they haven't, well, it's up to you to decide what you want to do about that.

Jeff:

I guess that's right. And now you can understand and you can start to think about who you want to trust, right as you're working with these companies of what you want to think about, because that's what it's all about. I don't go to certain stores, I don't go into them, I don't trust them. I don't spend my money there. I won't step foot in them. And that's okay. But a lot of it comes from things like this. You do this and you're like, wow, I can't believe this is what you do with my data. And you really see it.

Jamal:

And that's really interesting what you've just said there Jeff, is I don't go to certain stores because I don't trust them with my personal data. And as we're progressing, we are seeing more and more people are actually now making decisions based on how much they trust businesses with their personal information over and above anything else that they might be offering in terms of price, in terms of features, in terms of quality, PII or how they look after your privacy is really playing a big part of people's decision making process. And I know that big businesses are actually aware of this because we can see companies like Amazon, companies like Apple really selling privacy and taking out advertising space, not talking about their features or anything else, but talking about how they value your privacy. And what do you think the future is for when it comes to people making decisions? Do you think we're going to see a lot more people making decisions based on privacy?

Jeff:

I do. And I think we will pay for privacy aggregators for us. As consumers, I think we'll have privacy solutions that we will make the investments on and we're going to realize what it's like and what it's worth to pay for privacy. And I think that's going to come and we should pay for it. I have no problem with that. I don't want your free service. I'd rather pay for the service and have my data private. I have no problem with that. Charge me the $5 a month or whatever you want and move on. So I think there's going to be a lot of people that start to look at this and say, if it's free, it's free for a reason. I'm the product, and start to understand that and start to think about how they want to work with this data. You start to see it and you hear it often now, right? And it's great to hear it when people say, what are you going to do with that number? Why do you want my number? And you start to hear it's like, well, this is great, thanks for asking. I'm glad people are starting to ask the question and you start to ask, why do you need this data? What is the purpose? Why do you need so much of my data? What is this? I think we're starting to see people asking these questions, starting to say no. And I think that we're going to be paying for privacy. I think we're going to have some privacy aggregators, like consumer-based products that we're going to bear in the store coming out to help us with these problems.

Jamal:

Super interesting. And how can businesses use that as a competitive advantage?

Jeff:

It's funny you say that, because first, trust is we're seeing with Apple, right? I mean, we're seeing it everywhere. It's a big deal of who you can trust and what data you want to secure and how you function. It's there today, and people are starting to do it. But I think one of the things that are most interesting about this is some of the new regulations that are coming about. They're fascinating to me, and I think the long term effects, and I'm sure you've seen this as well, nowadays when you have a breach, it’s going to be illegal shortly to not report that breach, right. In the US. Anyway, under Biden and all this stuff that's occurring. So if you take that and you think about this and you say, well, I'm a small construction company, I don't really care, and I have a breach, all right, that seems like no big deal. Well, now you're going to be for that next project. Well, now that you go to Bid, the next project, the company that you're trying to work with is going to run your data and they're going to look at this and they're going to say, wait a minute. You show up in a breach database, you're a high risk supplier because you're high risk supplier my insurance is through the roof, or if there's anything associated with you, they won't pay it. So in essence, it's all starting to connect back, which means if you have a breach because you didn't have your program set up and you weren't managing the privacy thing that you need to have, you're ultimately not going to win contracts because you're going to be a higher risk vendor to the cyber insurance companies that they're working with. So cyber insurance because of ransomware. I say I look at this year as being the year of the ransomware that impact, and I think next year is going to be the result of that in terms of cyber insurance policies, they're already coming. They're shooting through the roof. 300% people are getting dropped from policies, and they're starting to connect the stops, right, do you have a private policy program? Do you have a map of your data, map of your information? Do you have a data classification strategy? Who are your third party vendors? How do you recommend them? They're starting to look and they're starting to ask the questions. So these little things that we're talking about where people say, well, it's not me as a business, I don't have to worry about this. You absolutely do, because it's going to be more expensive and more risky to work with you in the future when you have this brief. So it's forcing a lot of companies to move forward with these programs. I don't think they're doing the best job of asking the privacy questions yet, but they are asking things like data maps, do you have an inventory of your data? So they're starting to have some great questions and enforce some hard conversations. And by the way, if you say you do and you don't, they're not paying you, they're not paying out, you have a reason you're not getting paid.

Jamal:

I've actually seen an increase, and a lot of the work on the consultancy side is increasing into actually looking at what the insurance requirements are and making sure that the privacy program and the security program is in line with what the requirements are so they can bring the policy right down. Because I've had some clients who have had some astronomical increases to their premium and they're like, hang on a minute, we need to do something about this. And when they've given them a call and spoken to them, they said, what can we do about this? They said, well, here's a list of things that you can do to bring that premium right now. And if you can demonstrate that you have good governance in place, you can demonstrate that you have good security, good policies, good awareness, then we bring it right down. So I think it's going to become more and more important, and I think as insurance companies are raising their prices because they see the threat and the risk here, it will actually make businesses who may not be so focused on security and privacy right now, but they're going to really start asking those questions. I think that's going to drive a huge amount of work in the industry. So it's a very exciting time for anyone who is in the data privacy and data security sector thinking about a career in there. And I think the future is only going to grow. What are your predictions for how the industry is shaping up and where it's heading?

Jeff:

It's unfortunate that, it's moving forward, but not moving forward fast enough, especially in the US. Everybody talks about it, they're saying it, but it's just talk right now. It's not happening. It's a lot of confusion. I think these state-by-state laws are not doing well. So it's going to continue. It's got to come up with some federal laws in the US. We have to have a federal law that we do this with. This is just too much. But I definitely think we're going to continue to see the stuff across the line. It's got to become a right in the United States of privacy and the right to do these things across the board. And when that occurs, I think we're going to start seeing some and we start seeing some legal cases associated for it. Right. Hey, I requested privacy, you couldn't provide it. You're going to see the lawsuits. You're going to see the lawyers coming out everywhere, people trying to defend themselves. They're going to start doing something. It's just unfortunate. It's going to come to the fact that we're going to continue with state laws. We're going to wait till these attorneys come after everybody, and then the companies are going to start responding because of the suits. And I wish we didn't have to do that, but that's unfortunately the way I think it's going to get fixed.

Jamal:

Yeah, I mean, we're seeing that in UK, British Airways, they had a major breach and there was a very interesting suit against them and they've actually decided to settle that now, but it was a private settlement. They haven't disclosed what that settlement looks like, but from what we can understand, it's been very significant and other companies are really starting to pay attention and take notice.

Jeff:

Yeah, that's where it changes, right, when it becomes civil suits and civil lawsuits, class action lawsuits. That's not a negotiated government fine, because you can do that because you're Visa or something. I'm just throwing random names out there, but a little bit different when the government is going to come in and say things are changing and you are bringing to court, the judge is going to say you're guilty and you're paying, you're negligent.

Jamal:

Exactly. And it's like, it's not just going to be one person. It's going to be potentially thousands, depending on how large your company is.

Jeff:

It's going to be like, if you think about it, you went on the street today and you see like these signs of lawyers and it's like, hey, you got hurt today. Give us a call, right? You're going to start seeing data breach, give us a call. Give us a call.

Jamal:

This is the thing, they're not even going to ask, have you had a data breach there? They’re going to be like, have you ever done business with this company? Well, you could be entitled to compensation.

Jeff:

You know, anybody who worked there during the eight-year period, it's going to start getting very interesting.

Jamal:

Thank you so much for all of the value that you provided. Jeff, you spoke about data protection, you spoke about encryption key manager. We spoke about data loss prevention, identity and access management, and we also spoke about the pragmatics of actually when it comes to hiring someone and some of the challenges and what you'll be looking for bringing talent into your team. So the last question is, do you have a question for me?

Jeff:

I do. Especially with what you're seeing in terms of the regulatories and with what you're seeing, do you think it's getting better? What are you looking forward to.

Jamal:

When you say, do I think it's getting better? From what perspective?

Jeff:

Jeff well, you're seeing some adoption, and I think we're starting to see this. But when you're starting to see organizations, and I mean over there in the UK, I'm sure you guys have seen it, but are you seeing that the privacy, you're seeing this at a board level, are people spending the money to do this right? You look at security in the past, and it was like you've seen security. Security, that's the most important thing. But then you look at the budgets, and it was like, out of the CIO's budget, 3% went to security and 97 went to video cameras or whatever else they wanted. And, yeah, we said it was getting better, but the money wasn't being spent, the people weren't being hired. I'm curious what you're starting to see out there as you're working with these folks.

Jamal:

Yeah. So across the UK and across Europe, I do think we are making progress. I don't think we're making enough progress, and I don't think it's still a priority on the board as much as it should be. There are discussions about it. Whenever there is a massive breach, when there is a big civil suit, it does come up as a topic again. But I'm not seeing enough businesses investing the resources, making the funds available, making the head count available to really make a dent and do something about this. We are seeing more that some of the larger global companies are actually really increasing their headcount and really thinking about what they can do to move forward. The challenge here in the UK is when you have businesses that are not multinational and you have just large businesses just based here nationally, what they're saying is, well, the ICO, we've had four fines over the last three years, and they've just been to massive companies. How much of a risk do we actually have? And the appetite to do something about it still seems to be driven by fear of fines, by fear of enforcement, rather than an appetite to say, hey, we need to be responsible here and do the right thing. And we want to make sure that all of our customers trust us, all of our employees trust us. All of our stakeholders are confident that we have robust practices when it comes to upholding and respecting the trust that people give to us when they share their personal information with us. So I think, yes, we are seeing small increments towards it, but there's still a lot of work to go, and I don't think we're anywhere near where we need to be right now.

Jeff:

Yeah, that makes sense. And that's what I'm seeing in the US as well. It's a lot of conversation, which is great. An event comes up, it sparks up, which is great. But when you look at the dollars and the cents associated, hiring one person over and say, hey, you’re our privacy officer, it's a tricky one right now.

Jamal:

Yeah. I think one of the biggest challenges I seem to be coming up against is the board sees it more as a cost, but they don't actually see the benefits. They don't actually think there will be any ROI. There's no return on investment and spending this money in privacy. But when you see companies like Apple and companies like Amazon, you can see that they know this is going to give you ROI. This can actually be used to increase revenue, increase profitability, save some money. As soon as businesses and boards start taking that attitude, I think you're going to see it's going to be completely different ballgame.

Jeff:

Yeah, I think it's spot on. I think when they start to understand the benefits of being the trusted source, or maybe this is a bank you can trust, this is what we do. This is how we are transparent. We are. I think you're spot on. And I can't wait to see more companies that are starting to position themselves for trust right in what they do. It's great to see Apple do, and I just can't wait to see and I'm hoping to see more continued on a path.

Jamal:

Yeah, absolutely. Jeff, you've been an amazing guest. Thank you very much for sharing so much valuable information. I'm so happy you made the time to come and speak to us today, and I look forward to catching up with you again soon.

Jeff:

Sounds great. Thanks so much. It was lovely. Thank you.

Outro:

If you enjoyed this episode, be sure to subscribe, like, and share so you're notified when a new episode is released.

Outro:

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Outro:

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.

Outro:

Please leave us a four- or five-star review.

Outro:

And if you'd like to appear on a future episode of our podcast, or.

Outro:

Have a suggestion for a topic you'd likely to hear more about, please send.

Outro:

An email to team@kazient.co.uk

Outro:

Until next time, peace be with you. Bye.

Chapters

Video

More from YouTube