Artwork for podcast 10 Questions to Cyber Resilience
Is the cloud secure? with CISO from Insurity, Jay Wilson
Episode 816th December 2022 • 10 Questions to Cyber Resilience • Assurance IT
00:00:00 00:21:51

Share Episode

Shownotes

Assurance IT invited Insurity's CISO, Jay Wilson to discuss SaaS platform, cloud security and data privacy.

 

In this episode, Jay Wilson from Insurity and co-founder of Assurance IT, Luigi Tiano, discuss: 

  1. Pros and cons of SaaS platforms
  2. Should hardware be back on-prem?
  3. Cloud security: Is it where it needs to be?
  4. Are security risks between cloud and on-prem similar?
  5. How to backup SaaS applications
  6. Difficulty of complying with data privacy regulations from around the world
  7. Are the Data privacy regulations make us better?

 

Resources: 

Watch the episode: https://youtu.be/a8YWmt-QcVU

Jay Wilson’s LinkedIn: https://www.linkedin.com/in/jaywwilson/

Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/

Assurance IT Website: http://www.assuranceit.ca/

 

 

About Jay Wilson: 

As an experienced technology executive across multiple disciplines and sectors, Jay leads operations, delivery and strategy across global cross-discipline teams to produce and protect innovative products, growth strategies and measurable results.


In his role of Chief Information Security Officer at Mercury Healthcare, he is responsible for advancing the information security and compliance program, ensuring our business operations and client-facing product technologies are safe from attack, exceed regulatory standards and protect the critically important protected health data assets that Mercury Healthcare manages for over 1000 hospitals. Additionally he lead our efforts to align to industry leading compliance and security frameworks, including HITRUST certification of the Mercury Patient Engagement Solution / CRM. Further, he also leads and directs the IT function at Mercury Healthcare to improve the efficacy, efficiency and effectiveness of IT/Helpdesk functions within the organization.


He is CISM, CHP and CSCS certified and has over 20 years of experience in various technology development and leadership roles. Also a graduate of SapientNitro's CMTO University program, with a background as a professional marketing technologist and a consummate student of innovation and psychology, he focuses additional effort on the potential of people in the world of business+technology convergence. He has previously led (at Healthgrades) the Learning Academy program, part of HG's previous leadership development program, to help grow our people in communication, leadership and creating impact.


His experiences in technologies are broad and diverse, but he has had the privilege of working in: Security Infrastructure, Network Engineering, Automation Engineering, Advertising Technologies, Data Engineering, Distributed Computing, Professional Video, Cloud Computing, DevOps, Containers, Front End Web Technologies, Server-side Technologies, Microservices & API Development.



About 10 Questions to Cyber Resilience: 

Twice per month, learn about how IT leaders are strengthening their cyber security practices. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security. 

 


About Assurance IT: 

Assurance IT (www.assuranceit.ca) specializes in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.

Transcripts

Speaker:

This is 10 questions to

Speaker:

cyber resilience brought

Speaker:

to you by assurance it

Speaker:

released twice per month.

Speaker:

Every episode brings you one

Speaker:

step closer to cyber resilience

Speaker:

by hearing how it leaders are

Speaker:

practicing cyber security.

Speaker:

Resources mentioned in the episode

Speaker:

can be found in the show notes.

Speaker:

If you are ready to take your

Speaker:

cyber resilience to the next

Speaker:

level, be sure to subscribe so

Speaker:

you can catch every episode.

Speaker:

Thank you for joining us

Speaker:

today, Jay, on our podcast.

Speaker:

I got Jay Wilson from

Speaker:

Insurity on the line with us.

Speaker:

I'll let Jay introduce himself

Speaker:

cuz he's got a long list of

Speaker:

experience and expertise that

Speaker:

he's gonna share with us.

Speaker:

And really happy you can make

Speaker:

the time for us today, Jay

Speaker:

so go ahead and introduce

Speaker:

yourself before we jump

Speaker:

into today's episode.

Speaker:

Awesome.

Speaker:

Thanks Luigi.

Speaker:

Thanks for inviting me

Speaker:

to talk with you today.

Speaker:

Come from a wide range

Speaker:

of technical background.

Speaker:

Started off as a software

Speaker:

developer back in the day

Speaker:

and became a CTO at a couple

Speaker:

startups that didn't get big

Speaker:

And then moved my way into

Speaker:

technical consulting at Nitro,

Speaker:

before going to my last job,

Speaker:

which was at Health Grades

Speaker:

where I was the CISO there,

Speaker:

and now I'm a CISO at Insurity.

Speaker:

So wide range of background in

Speaker:

software engineering, technical

Speaker:

development, consulting,

Speaker:

and then kind of merged

Speaker:

into security and excited

Speaker:

to be in the security space.

Speaker:

Even more excited to

Speaker:

be at Insurity as well.

Speaker:

Nice.

Speaker:

Sounds interesting.

Speaker:

I like that.

Speaker:

Being a CISO at a healthcare

Speaker:

organization, that's not

Speaker:

the easiest job, I'm sure.

Speaker:

Yeah, yeah.

Speaker:

Bless everyone who is

Speaker:

still in those roles.

Speaker:

Very challenging.

Speaker:

You know, healthcare like many

Speaker:

other sectors, but I think

Speaker:

especially healthcare just faces

Speaker:

so many different challenges.

Speaker:

Very regulated, very targeted.

Speaker:

We had a lot of targeted attacks

Speaker:

that came our way, in that space.

Speaker:

Healthcare data is just so

Speaker:

prized by the underbelly,

Speaker:

the hackers, the dark web.

Speaker:

Right.

Speaker:

It's very powerful information.

Speaker:

Yeah, I agree.

Speaker:

And that's why I wanted

Speaker:

to comment on that.

Speaker:

But now you've moved to Insurity.

Speaker:

You're based in Colorado.

Speaker:

Correct.

Speaker:

Based in Denver.

Speaker:

And tell us a little bit about

Speaker:

Insurity, cuz Insurity's a

Speaker:

pretty interesting company.

Speaker:

I know them from a past life and

Speaker:

I know some of the folks there.

Speaker:

Give us a little bit about

Speaker:

Insurity, cuz that's gonna kind of

Speaker:

be a segue into our episode here.

Speaker:

Yeah, absolutely.

Speaker:

So Insurity is the largest

Speaker:

cloud based SaaS provider of

Speaker:

insurance technologies to the

Speaker:

PNC market in North America.

Speaker:

So we're kind of providing

Speaker:

the glue for a lot of property

Speaker:

casualty insurers and other

Speaker:

lines of insurance across North

Speaker:

America, but also across the globe.

Speaker:

I just get to use largest

Speaker:

when I say North America.

Speaker:

Everybody likes superlatives.

Speaker:

You know, we're connecting those

Speaker:

insurers with the technology they

Speaker:

need to accelerate their business.

Speaker:

So if insurers wanna spin up new

Speaker:

capabilities inside their business,

Speaker:

they can lean on our systems

Speaker:

and softwares and teams to help

Speaker:

accelerate that work for them.

Speaker:

In today's episode we're gonna

Speaker:

talk a lot about SaaS and maybe

Speaker:

even platform as a service and

Speaker:

how to secure a cloud and SaaS.

Speaker:

And not only from the enterprise,

Speaker:

but also as an end user,

Speaker:

what you should know, right?

Speaker:

Now, being a SaaS platform.

Speaker:

Let's talk a little bit about how

Speaker:

we've seen the evolution of SaaS.

Speaker:

Many enterprises have moved

Speaker:

to a SaaS offering even PaaS

Speaker:

in some ways, and this is

Speaker:

kind of a question that we

Speaker:

can debate back and forth.

Speaker:

Now, SaaS is supposed to

Speaker:

lower total cost of ownership.

Speaker:

Right?

Speaker:

I'd like to discuss that

Speaker:

because there is a lot of

Speaker:

debate around when you move to

Speaker:

SaaS, there's an initial CapEx

Speaker:

investment that that's done.

Speaker:

But in the long term, I'd like to

Speaker:

hear what you have to say about the

Speaker:

caveats and of course, the pros and

Speaker:

cons of moving to a SaaS platform.

Speaker:

Just your experience on that.

Speaker:

Sure.

Speaker:

Look, there's multiple kind of

Speaker:

perspectives, I'd say on SaaS

Speaker:

and PaaS versus, you know,

Speaker:

building things internally.

Speaker:

But being an IT and security

Speaker:

professional for many years now I

Speaker:

would say we're not at the point

Speaker:

where we're deciding whether

Speaker:

we use it, but where we use.

Speaker:

It isn't a choice.

Speaker:

You have to use it really to

Speaker:

get certain capabilities out

Speaker:

the door in certain timeframes.

Speaker:

So you have to be thoughtful

Speaker:

in the way you use it.

Speaker:

And as a SaaS provider, I would say

Speaker:

that we play a similar role for our

Speaker:

clients where, we're providing them

Speaker:

capabilities that really they need.

Speaker:

So.

Speaker:

Yes, there's a certain

Speaker:

balance to that equation.

Speaker:

Okay?

Speaker:

If we build it ourselves and we

Speaker:

own it, we certainly know what

Speaker:

the TCO is gonna be over time.

Speaker:

But in the context of maybe point

Speaker:

solutions you can contain it or you

Speaker:

can build the right partnerships

Speaker:

with the right vendors.

Speaker:

I'd say, I think.

Speaker:

I can't imagine building and

Speaker:

owning an IT infrastructure without

Speaker:

relying on critical SaaS partners.

Speaker:

That's a very fair statement.

Speaker:

And frankly, we do offer here

Speaker:

at Assurance IT, some sort of

Speaker:

SaaS solutions for our clients.

Speaker:

So, I mean, it's a debate cuz

Speaker:

I like to hear both sides of

Speaker:

it, but ultimately I think it's

Speaker:

important, as you mentioned,

Speaker:

there's an evolution of, you

Speaker:

know, where you're using, how

Speaker:

you're using it versus, your

Speaker:

statement earlier was on point.

Speaker:

I tend to agree with that.

Speaker:

I guess one thing that I've

Speaker:

seen lately in the news, and

Speaker:

maybe you've seen this as well,

Speaker:

is there's a lot of articles

Speaker:

pointing back to companies looking

Speaker:

at bringing some stuff back

Speaker:

on-prem and I know this is not

Speaker:

application centric, but this is

Speaker:

just infrastructure centric, and

Speaker:

I know Insurity probably does a

Speaker:

lot of cloud-based infrastructure.

Speaker:

I know you guys are probably a big

Speaker:

IaaS consumer as well, but what's

Speaker:

your take on that whole argument

Speaker:

about bringing our hardware back

Speaker:

on-prem have you seen that as well?

Speaker:

I have actually.

Speaker:

I've seen it in a

Speaker:

couple different places.

Speaker:

It's an interesting trend and

Speaker:

I think that like anything,

Speaker:

there's right use cases to

Speaker:

bring back and there's wrong

Speaker:

use cases to bring back.

Speaker:

But most commonly what I

Speaker:

see around cloud, let's just

Speaker:

take cloud as an example.

Speaker:

You sometimes have businesses

Speaker:

that have, call it a lack of

Speaker:

depth in the operational side

Speaker:

of using cloud, and that's where

Speaker:

you tend to have those pullbacks

Speaker:

have to occur because if you

Speaker:

don't have the operational acumen

Speaker:

to like really own and operate

Speaker:

with your partner, your cloud

Speaker:

partner, in the appropriate

Speaker:

manner, your bill turns

Speaker:

into a blank check, right?

Speaker:

It gets really

Speaker:

dangerous, really fast.

Speaker:

So I think that the pullbacks

Speaker:

that we're seeing are businesses

Speaker:

recognizing, look, whichever

Speaker:

way you wanna look at it, we're

Speaker:

better in an operating mode

Speaker:

at an on-prem kinda world.

Speaker:

And that's not a judgment.

Speaker:

But I can say at Insurity,

Speaker:

we're very good at operating

Speaker:

in a cloud environment.

Speaker:

You know, every business comes

Speaker:

from different DNA or bones, right?

Speaker:

And I think that those are good

Speaker:

decisions for some firms and, maybe

Speaker:

not good decisions for others.

Speaker:

So uncontrollable cloud

Speaker:

costs are causing people

Speaker:

to revisit their strategy.

Speaker:

I think it's more predictable when

Speaker:

you buy a server, and I'm just

Speaker:

using one very simple example.

Speaker:

You buy a server, you know what's

Speaker:

gonna cost you, how long you

Speaker:

can amortize it and you know

Speaker:

what it costs to operate that.

Speaker:

I think, like you mentioned, it

Speaker:

stems from the fact of maybe having

Speaker:

a lack of skill set to operate

Speaker:

one cloud or multi-cloud strategy.

Speaker:

There is a complexity of working

Speaker:

with either one cloud vendor

Speaker:

or multi-cloud vendor, having

Speaker:

a multi-cloud vendor approach.

Speaker:

So I appreciate what you've said

Speaker:

and that makes a lot of sense.

Speaker:

For a lot of companies, if they

Speaker:

can't understand the cost or they

Speaker:

can't contain the cost, I think

Speaker:

that causes a panic, like you

Speaker:

mentioned, and they just say,

Speaker:

okay, let's come back on prem.

Speaker:

And frankly, if you're able

Speaker:

to successfully operate in

Speaker:

an on-prem world and do that

Speaker:

in a cost efficient and an

Speaker:

operationally efficient manner,

Speaker:

and one that doesn't hamper your

Speaker:

engineering or R&D capabilities,

Speaker:

all the more power to you.

Speaker:

There's nothing wrong with that.

Speaker:

It's been working for 20 years.

Speaker:

I don't really have anything

Speaker:

bad to say about it cuz

Speaker:

I came from that world.

Speaker:

Right, right.

Speaker:

I think it's more to say if you

Speaker:

are able to operate in a cloud

Speaker:

based environment and you can put

Speaker:

the right controls, processes,

Speaker:

teams, expertise around it.

Speaker:

And make it profitable

Speaker:

to your business, then

Speaker:

that's even more powerful.

Speaker:

That's how I look at it.

Speaker:

Like, if you can do it and do

Speaker:

it well, you should, because

Speaker:

cloud tends to give you more

Speaker:

flexibility and capabilities.

Speaker:

But if you can't and you've figured

Speaker:

out how to make on-prem work for

Speaker:

your business, that's awesome.

Speaker:

Like neither one is a bad choice.

Speaker:

It's just like everything, the

Speaker:

devil's in the details, right?

Speaker:

I think ultimately we're seeing

Speaker:

a hybrid approach becoming

Speaker:

the ultimate architecture, I

Speaker:

think for a lot of businesses.

Speaker:

I mean, you still have a lot of

Speaker:

businesses, especially in the

Speaker:

healthcare and especially in the

Speaker:

utilities space, you have a lot

Speaker:

of legacy hardware that sometimes

Speaker:

is very difficult to transition

Speaker:

to a virtual or cloud provider.

Speaker:

So I think ultimately in

Speaker:

the large enterprise, you're

Speaker:

still gonna see some hybrid.

Speaker:

The banks, the financial

Speaker:

institutions, the healthcare of

Speaker:

course, and insurance business.

Speaker:

You're an outlier.

Speaker:

I mean, you're insurance, but I

Speaker:

think you've been one of the ones

Speaker:

that have gone full SaaS and be

Speaker:

able to provide a solution to

Speaker:

your clients that's fully turnkey.

Speaker:

Which is admirable.

Speaker:

Can you tell us though,

Speaker:

about cloud security?

Speaker:

Cuz I think that's become a

Speaker:

topic that people kind of they

Speaker:

shied away from for a while and

Speaker:

now it's become top of mind.

Speaker:

Because if you're operating

Speaker:

in a SaaS or in a cloud-based

Speaker:

environment, you have to have

Speaker:

the skill set to secure a cloud.

Speaker:

Right?

Speaker:

So what's your take on that?

Speaker:

Can you tell us a little bit

Speaker:

about your experience around that?

Speaker:

Are we up to speed when it comes

Speaker:

to skill sets in the market?

Speaker:

Are the cloud providers giving

Speaker:

us the right tools to properly

Speaker:

secure the cloud and SaaS

Speaker:

environments that we're operating?

Speaker:

Yeah, that's a big topic, right?

Speaker:

I could go lots of

Speaker:

different directions.

Speaker:

Yeah, I know, I

Speaker:

know, I know, I know

Speaker:

. So look, I think that there's

Speaker:

still some catching up in the

Speaker:

business on cloud and security.

Speaker:

When you look at the origins of

Speaker:

cloud, where did cloud come from?

Speaker:

You know, it started with

Speaker:

virtualization that you could

Speaker:

control programmatically.

Speaker:

It was an IT endeavor that

Speaker:

engineers really gravitated to.

Speaker:

They're like, oh, cool, I can

Speaker:

turn on a server with an API call.

Speaker:

And it evolved from that use case.

Speaker:

So, it became an engineering led

Speaker:

effort to put cloud in place.

Speaker:

And engineering and security

Speaker:

don't always pair up.

Speaker:

I mean, in good organizations

Speaker:

they do, but they don't

Speaker:

always historically.

Speaker:

And so I think that security

Speaker:

has been, kind of catching

Speaker:

up over the years in cloud.

Speaker:

If you think like historically

Speaker:

to where we are today, I

Speaker:

think it's certainly capable.

Speaker:

You can do it, you can

Speaker:

secure a cloud very well.

Speaker:

There's no doubt about that.

Speaker:

You just have to know what you're

Speaker:

doing and you know, you have to

Speaker:

bring the right resources to bear.

Speaker:

I think as far as the cloud

Speaker:

providers, And what they're

Speaker:

offering from a tooling

Speaker:

perspective, the big players are

Speaker:

offering very capable platforms

Speaker:

on the security front, right?

Speaker:

There might be smaller offshoots

Speaker:

where it's a little, little less

Speaker:

clear, but you know, your AWSs

Speaker:

and your Microsoft's of the world.

Speaker:

You've got all the

Speaker:

tools you need for sure.

Speaker:

There's no doubt about it.

Speaker:

Yeah.

Speaker:

It's very secure built in and

Speaker:

yeah, they do provide you the

Speaker:

tools and I do concur with that.

Speaker:

I think, and just in general,

Speaker:

if you're outside the IT world

Speaker:

you can't fathom how somebody

Speaker:

or something else is managing

Speaker:

your infrastructure and you

Speaker:

can't touch and feel it, but

Speaker:

you wanna feel good about where

Speaker:

your infrastructure is, where

Speaker:

your data lies, and so on.

Speaker:

So I think we have some education

Speaker:

to do, frankly, just in general

Speaker:

to the larger population about

Speaker:

how the data will be managed,

Speaker:

contained, secured, and so on.

Speaker:

And to your point, I

Speaker:

think it's an evolution.

Speaker:

I think we have

Speaker:

some catch up to do.

Speaker:

We're catching up and I

Speaker:

think we're doing a good job.

Speaker:

In my opinion, and obviously, I

Speaker:

welcome your comment on this,

Speaker:

but I think whether you're cloud

Speaker:

or on-prem, you face the very

Speaker:

similar risks, whether you're on

Speaker:

prem or in the cloud in terms of

Speaker:

hackers wanting to get to you.

Speaker:

Completely agree.

Speaker:

I think that a lot of the surface

Speaker:

area challenges have normalized.

Speaker:

Whereas there are some internal

Speaker:

considerations from security

Speaker:

perspective that still make cloud

Speaker:

implementations a little trickier.

Speaker:

But when you're talking about

Speaker:

your outside surface area,

Speaker:

it's like the same thing.

Speaker:

It's all virtualized computing.

Speaker:

So it's just a question of

Speaker:

how you're configuring it.

Speaker:

And what is your defense

Speaker:

in depth kind of approach?

Speaker:

Like what are the layers of

Speaker:

the onion that you're putting

Speaker:

in place to prevent people

Speaker:

getting into your world?

Speaker:

And whether that's on prem

Speaker:

whether that's in the cloud,

Speaker:

they're the similar

Speaker:

sets of controls.

Speaker:

There's not a big divergence there.

Speaker:

In fact, there's some control

Speaker:

sets now in the space that

Speaker:

are cutting across, providing

Speaker:

services to me as a provider, if

Speaker:

I had a hybrid environment, like

Speaker:

you said, some people are doing

Speaker:

hybrids, you know, where I can

Speaker:

cut across both and that's great,

Speaker:

because now you're getting

Speaker:

kinda consistent control sets.

Speaker:

Consistent configuration and you're

Speaker:

reducing, call it some of the big

Speaker:

outages that we've seen in the last

Speaker:

couple years, like what the Fastly

Speaker:

outage or something like that where

Speaker:

somebody just like types the wrong

Speaker:

thing for a specific configuration.

Speaker:

You know, less chance of

Speaker:

those scenarios when you have

Speaker:

enterprise wide controls that

Speaker:

can cut across both environments.

Speaker:

Agreed.

Speaker:

Agreed.

Speaker:

Yeah.

Speaker:

I wanna just switch

Speaker:

gears a little bit.

Speaker:

So we're talking about

Speaker:

SaaS and infrastructure.

Speaker:

I think we're talking a lot

Speaker:

about cloud and infrastructure

Speaker:

now, but I want to talk about

Speaker:

specific SaaS applications.

Speaker:

You know, like to the end

Speaker:

user who may be watching this.

Speaker:

I mean, they may be taking

Speaker:

advantage of a SaaS-based

Speaker:

application, whether it be,

Speaker:

for simplicity, whether it's

Speaker:

HubSpot or Salesforce, or maybe

Speaker:

QuickBooks or some accounting

Speaker:

or finance application online.

Speaker:

One of the questions that

Speaker:

we see often, how's my

Speaker:

data being collected?

Speaker:

Where does it reside?

Speaker:

Who's managing that data?

Speaker:

And more importantly, how

Speaker:

does that data get backed up?

Speaker:

If I'm using QuickBooks online,

Speaker:

or I'm using HubSpot, how do

Speaker:

I know if an outage happens?

Speaker:

What happens to my data?

Speaker:

Is that something that customers

Speaker:

ask you guys as an organization?

Speaker:

How do they get that data back?

Speaker:

Well, sure.

Speaker:

This is a really important

Speaker:

question and in your question

Speaker:

you framed up I think two things

Speaker:

that are worth mentioning.

Speaker:

So in the SaaS world, there's like

Speaker:

consumer level SaaS applications,

Speaker:

like you mentioned QuickBooks.

Speaker:

And although it's a business,

Speaker:

it's still kind of like

Speaker:

you're a small business.

Speaker:

You're almost just an average

Speaker:

consumer if you're using

Speaker:

QuickBooks online, typically.

Speaker:

And then at the same time,

Speaker:

at Insurity, where we're

Speaker:

selling enterprise SaaS

Speaker:

software to business.

Speaker:

And so how those two different

Speaker:

kind of engagements shape

Speaker:

up is a little different.

Speaker:

Right?

Speaker:

As a consumer, you are putting a

Speaker:

lot of faith in your SaaS provider.

Speaker:

Almost in a blind context.

Speaker:

You signed some set of terms

Speaker:

and services that you can't read

Speaker:

because you don't have enough

Speaker:

time to, and you say, I agree.

Speaker:

Yeah, sure.

Speaker:

I'll give my firstborn

Speaker:

daughter whatever.

Speaker:

Like you have no idea

Speaker:

what it's saying.

Speaker:

And then on the other side of

Speaker:

this, where there's an enterprise

Speaker:

engagement, We're partnering

Speaker:

with our clients, it's a

Speaker:

different kind of relationship.

Speaker:

So we're providing our

Speaker:

clients evidence of backups,

Speaker:

if that's the question.

Speaker:

We bring in a third party to

Speaker:

validate our systems and you know,

Speaker:

that third party's independent

Speaker:

and saying, okay, oh look,

Speaker:

I've reviewed all this evidence

Speaker:

and I'm gonna write a report.

Speaker:

And then we hand that

Speaker:

report to our clients.

Speaker:

So, much different set

Speaker:

of circumstances, right?

Speaker:

An enterprise SaaS, there's

Speaker:

this world of third party

Speaker:

validation that's basically,

Speaker:

I would say come about,

Speaker:

especially in the last 10 years.

Speaker:

And back in the day you used to get

Speaker:

a certification from a data center.

Speaker:

Right?

Speaker:

Right.

Speaker:

And that's evolved now into

Speaker:

other industry standards,

Speaker:

whether it's ISO certs,

Speaker:

SOC two certs, things like.

Speaker:

Which we all use in different ways

Speaker:

so that we can trust each other.

Speaker:

There are mechanisms of trust.

Speaker:

I think it'd be great to see

Speaker:

that continue to refine because

Speaker:

it's still a big challenge.

Speaker:

How we all handle that

Speaker:

trust between one another.

Speaker:

I like what you said, you put

Speaker:

a blind trust, we're picking

Speaker:

on QuickBooks right now, but

Speaker:

I mean, it could be, HubSpot

Speaker:

is an enterprisewide tool.

Speaker:

I mean, it may not be as big as

Speaker:

Salesforce, but at the end of the

Speaker:

day, there's a lot of enterprises

Speaker:

who run on HubSpot a lot, right?

Speaker:

And you're putting a lot of

Speaker:

faith, you're putting your entire

Speaker:

marketing database in there.

Speaker:

You're putting your entire

Speaker:

client database and you're

Speaker:

putting a lot of financial data.

Speaker:

You're putting a lot

Speaker:

of stuff in there.

Speaker:

And then this is something

Speaker:

that I ask customers, when

Speaker:

they're talking to me about

Speaker:

their SaaS applications,

Speaker:

I ask them the question.

Speaker:

How much do you know

Speaker:

about that application?

Speaker:

Yes.

Speaker:

I mean, they may

Speaker:

be publicly traded.

Speaker:

I'm sure they've got a whole

Speaker:

slew of compliance requirements

Speaker:

they need to go through.

Speaker:

But the day you wanna pull a plug

Speaker:

with that provider, what happens?

Speaker:

Who does that data belong to?

Speaker:

And I think those are the questions

Speaker:

that we should be asking more of.

Speaker:

You mentioned you partner with

Speaker:

your clients, so there's a lot

Speaker:

more third party validation and due

Speaker:

diligence that happens, but I think

Speaker:

the blind trust needs to come down

Speaker:

a little bit and you have to ask

Speaker:

more from your provider because if

Speaker:

a platform that big gets breached,

Speaker:

they're impacting thousands

Speaker:

and thousands of businesses.

Speaker:

Absolutely.

Speaker:

Or millions of individuals.

Speaker:

Individuals.

Speaker:

Those businesses put their

Speaker:

data in, into QuickBooks

Speaker:

or whatever it might be.

Speaker:

And you're seeing that, almost a

Speaker:

continuous stream of like large

Speaker:

consumer data breaches that

Speaker:

are sometimes a result of that.

Speaker:

But I think as consumers

Speaker:

we don't have great

Speaker:

mechanisms for that, yet.

Speaker:

Because we are still beholden to

Speaker:

these third party providers and

Speaker:

take QuickBooks out of the example

Speaker:

set for a second, you know just the

Speaker:

Apples and Googles of the world.

Speaker:

We as individuals,

Speaker:

we have no leverage.

Speaker:

Right?

Speaker:

None whatsoever.

Speaker:

to force them to like, oh,

Speaker:

I'm gonna send you a red line

Speaker:

of your terms and services

Speaker:

Good luck with that one.

Speaker:

Exactly.

Speaker:

Yeah.

Speaker:

Yeah.

Speaker:

But that leads me to my last

Speaker:

question, cuz we don't have a

Speaker:

lot of time here with you and

Speaker:

I really appreciate the fact

Speaker:

that you took the time today.

Speaker:

When it comes to data

Speaker:

privacy and maintaining,

Speaker:

data privacy compliance

Speaker:

when you're servicing customers,

Speaker:

and you guys are North America

Speaker:

wide, and forgive me if I'm using

Speaker:

you guys as an example, but you

Speaker:

may have customers globally.

Speaker:

How difficult is your job when

Speaker:

you have to comply with various

Speaker:

data privacy rules, both.

Speaker:

Locally, state level,

Speaker:

federal level, and globally.

Speaker:

I mean, you've got GDPR in

Speaker:

Europe, you've got various laws

Speaker:

in the US state, state laws,

Speaker:

and of course, if you're dealing

Speaker:

with Canadian laws, you've

Speaker:

got various provincial laws.

Speaker:

So how does a Ciso or how does your

Speaker:

compliance team deal with that?

Speaker:

Has that become a huge undertaking?

Speaker:

Just to get into the

Speaker:

intricacies of it without

Speaker:

giving us too many details.

Speaker:

Yeah, of course.

Speaker:

It's an important area that we do

Speaker:

put a lot of focus in, of course.

Speaker:

Because we need to be confident

Speaker:

that we're meeting all of the

Speaker:

ins and outs of the regulations.

Speaker:

But I would say this we try to

Speaker:

find commonalities between them.

Speaker:

And one of the benefits of some

Speaker:

of these scenarios is a lot of the

Speaker:

call it the state privacy

Speaker:

laws as an example.

Speaker:

They start to kind

Speaker:

of look a lot alike.

Speaker:

So what you tend to do as

Speaker:

a business is you implement

Speaker:

actually the highest bar.

Speaker:

You say, okay, well which state has

Speaker:

the most challenging regulations?

Speaker:

Let's just meet their

Speaker:

regulations and then we'll meet

Speaker:

all the state's regulations.

Speaker:

You do things like that to

Speaker:

really kind of normalize.

Speaker:

And so instead of using the

Speaker:

lowest common denominator,

Speaker:

using the highest common

Speaker:

denominator, maybe it's a little

Speaker:

more work, but you know your

Speaker:

clients will be satisfied.

Speaker:

You know that their data will

Speaker:

be safe and be held against

Speaker:

the regulations appropriately.

Speaker:

That tends to be the model.

Speaker:

I'm not saying that's always

Speaker:

the case, but you know, you

Speaker:

try to find ways to find

Speaker:

efficiency across the regulations

Speaker:

by doing things like that.

Speaker:

Very good answer.

Speaker:

So look for the best model that

Speaker:

exists and strive to achieve that.

Speaker:

Okay.

Speaker:

Then you're exceeding the

Speaker:

law in most cases, right?

Speaker:

No, I agree.

Speaker:

I agree with that.

Speaker:

It's just that sometimes, it

Speaker:

becomes overwhelming when it comes

Speaker:

to regulation and compliance.

Speaker:

A lot of people kind of get

Speaker:

overwhelmed and then they try

Speaker:

to fit everything into one box.

Speaker:

But I think your approach is you

Speaker:

know, bang on where you take the

Speaker:

highest standard and meet it, at

Speaker:

least you know it can't be beat.

Speaker:

Which is a really good

Speaker:

approach and I appreciate that.

Speaker:

For sure.

Speaker:

And it's a continuous effort.

Speaker:

The regulations are

Speaker:

gonna continue to evolve.

Speaker:

We are continuously

Speaker:

monitoring that.

Speaker:

There is no one size

Speaker:

fits all, unfortunately.

Speaker:

Yeah, yeah.

Speaker:

No, and I can concur with that.

Speaker:

But I think the regulation

Speaker:

is making us better as IT

Speaker:

professionals, frankly.

Speaker:

I know it's not always comfortable

Speaker:

to have to adhere to them, and it's

Speaker:

costly and it's painful sometimes.

Speaker:

But I mean, we're in an industry

Speaker:

where it's ever evolving and like

Speaker:

you said, the attack services

Speaker:

are just getting larger and

Speaker:

more compelling for criminals.

Speaker:

So you have to make sure

Speaker:

that you're covering

Speaker:

yourself in all areas.

Speaker:

And especially if you're dealing

Speaker:

with end users or whether you're

Speaker:

B2B or b2c, I think you need

Speaker:

to make sure that validation

Speaker:

is done properly, especially

Speaker:

if you wanna continue to do

Speaker:

business with individuals.

Speaker:

Completely agree.

Speaker:

I think most of the terms in the

Speaker:

regulations are actually helpful.

Speaker:

Meaning they are actually things

Speaker:

that we're doing already, right?

Speaker:

Sometimes there are a couple

Speaker:

gotchas, maybe a regulator

Speaker:

hasn't updated their mindset.

Speaker:

Every once in a while you'll

Speaker:

find some intricacies or quirks

Speaker:

maybe in the regulations.

Speaker:

Or maybe the language

Speaker:

is really vague.

Speaker:

Those are the areas that cause

Speaker:

most consternation usually.

Speaker:

But overall, I think that data

Speaker:

privacy regulations are a good

Speaker:

thing in the sense that they codify

Speaker:

what we should already be doing.

Speaker:

I'm gonna coin that term.

Speaker:

Gonna use it.

Speaker:

. . Really like that.

Speaker:

Really like that, Jay.

Speaker:

Well, Jay, listen, you've

Speaker:

given us a lot of your

Speaker:

time and we appreciate it.

Speaker:

I think this is gonna be a

Speaker:

good episode, short, but sweet.

Speaker:

We tackled one specific

Speaker:

topic and I really appreciate

Speaker:

what you've done for us.

Speaker:

Good luck at Insurity I know

Speaker:

it's only been a few months

Speaker:

you've been there, and it's an

Speaker:

exciting opportunity for you.

Speaker:

The team's great there.

Speaker:

I know them well personally.

Speaker:

So I wish you the best of luck

Speaker:

and again, thank you for the time

Speaker:

and hope to speak again soon.

Speaker:

Absolutely.

Speaker:

Likewise.

Speaker:

Thank you.

Speaker:

Thank you, Jay.

Speaker:

Thank you for listening

Speaker:

to 10 questions to cyber

Speaker:

resilience brought to you

Speaker:

by assurance it assurance.

Speaker:

It is in the cybersecurity

Speaker:

space, specializing in data

Speaker:

protection and compliance

Speaker:

since 2011, they primarily help

Speaker:

mid-sized enterprises in Canada.

Speaker:

If you have questions

Speaker:

about protecting your

Speaker:

data, reach out to us.

Speaker:

At info@assuranceit.ca

Links

Chapters

Video

More from YouTube