S3 #14 How to secure data and maintain consumer trust

[00:00:00] KRISTINA: Consumers are increasingly concerned about companies they do business with and have no problems going elsewhere, if they feel their personal data is at risk.

[00:00:07] INTRO: Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.

[00:00:25] KRISTINA: As we all know a critical component of digital policy is security. In fact, your brand recognition to customer loyalty hinges on getting security right. But what does that really mean? Taylor Hersom is here today to help us think through critical aspects of security and how it can help ensure trust and brand loyalty as part of any digital operations program. Taylor builds world class security programs for organizations who not only want to embrace cyber security but want to realize the benefits of putting data privacy first from, brand recognition to customer loyalty while realizing substantial ROI. I personally like the fact that he talks about brand recognition and customer loyalty, to things close to my digital policy heart. Taylor is a keen understanding of cybersecurity and compliance as it relates to the next generation of companies who are predominantly decentralized in cloud centric, which makes him the right person for us to take advice from on cybersecurity policy front. Taylor, welcome.

[00:01:24] TAYLOR: Thank you so much for having me, Kristina. This is an absolute honor.

[00:01:28] KRISTINA: I'm just so excited to geek out with you a little bit here, because I think, you're very insightful. You have this huge background that we can all avail ourselves with in terms of knowledge, but let's start off, tell us how can companies, whether they're established brands or whether startup mode, leverage cybersecurity to win sales and solidify their brand?

[00:01:47] TAYLOR: Oh, fantastic question. Good one to kick it off with. So, the way that I look at this is that there is a big tumultuous shift in the industry, in the business landscape. So, there are all these customers, both from a consumer perspective and a business perspective that are suddenly caring about security. So, we went through that shift where nobody cared about security, and we were signing up for every service. Nobody knew what data privacy was and then breach after breach, after breach kind of educated the market that, wow. We need to start caring about this. And so, what we are seeing is that now it's pretty much mandatory to have some sort of security program in place if you ever want to sign any kind of prestigious company. So, enterprise are setting the bar, of course, they have very stringent demand related to security posture. But now you're starting to see it in the consumer market as well. And so now it's not only mandatory. So you might as well, start to shift your mindset and say, I'd rather just invest in this now and use this market advantage, against my competitors who, who are not investing in it yet, to kind of brag about security and use that as a, Hey, I care about your data and in reality, when you're collecting sensitive data on your customers, you absolutely should care about their data. It's, it's just another element of how you need to protect your customers and how you need to serve them appropriately. So that's how I look at it. I certainly think that if it's not gonna go away, you might as well embrace it now, before everybody else figures out the secret sauce.

[00:03:11] KRISTINA: So, you said something that was very intriguing or it triggered me at least, which is, you said the word sensitive information. A lot of times we're talking about personal information, private, protected information, sensitive information, highly sensitive information, all kinds of information. Is that the right way to think about data and information and security? Or should we be thinking about it more as whereas it resides, like if it's on prem or in the cloud, or is it dynamic or is it static? There's all these like, ways to think about information and data. How should we really be thinking about it?

[00:03:43] TAYLOR: In short, I think the answer is both. So, the way that we have to look at it is one, where are you storing your data? It's just like, where are you storing your cash? You know, everywhere that you store cash, you know, everywhere where all your bank accounts lie, where all your assets are. We need to treat data very similarly and then also we need to understand the sensitivity of it. And so, I think that there is absolutely different types of data. And there is the public information. There is customer centric information, there's intellectual property, and then there's very much sensitive data related to an individual that's social security, data birth, address, the things that can be used to go create new identities online, the things that can be used to identify yourself. Those are the sensitive elements that are very much creating quite the detriment for individuals these days when they're compromised. It's ridiculous what you can get away with online and what you can do with just a few pieces of information.

[00:04:41] KRISTINA: So, what are the types of information that we should care the most about? Because sometimes when I'm talking with marketing individuals less so with security, but marketing individuals, they say, ah, it's just somebody's email address. Oh, it's just a name. It's, you know what, it's fine. If I export that to a Google sheet and store it and, you know, Google docs, which kind of makes my hair stand up. But they're like, yeah, you know, it's not really sensitive information. I'm not like storing your image or your Iris of your pupil or something really identifying information like biometric data. So, where do we draw the line in terms of what information is less sensitive or it's okay to expose versus information that should be protected with your life?

[00:05:18] TAYLOR: I certainly think you should take the conservative approach whenever possible. It's fairly easy to protect all the data you collect with the same stringent controls. And so you should have this mentality of if I, if I'm not sure, then it's probably, I should probably just treat it as sensitive. So that being said things that are public, email is oftentimes public when you have a LinkedIn account, for example, full name is of course public, your job and your employer and your title. Those things are, are typically public. You can't do too much with them. It's really when it starts to get, I try to encourage people to think about it from the mentality of the last time they went and opened a bank account, or they bought a home, or they bought a car. What are those pieces of information that you had to provide? That somebody else could use in your place instead if they were compromised. And so that's kind of where I draw the line.

[00:06:09] KRISTINA: Are you seeing that shift? I'm thinking about the fact that, we're seeing more and more individuals enter the virtual reality space, augmented reality, obviously, the coming metaverse. I refuse to say that the metaverse is here, the coming metaverse, so is the type of information that needs to be secured changing at all?

[00:06:27] TAYLOR: Oh, absolutely. So, I'm actually a nerd about web three and NFTs and, and cryptocurrency and anybody, any of the listeners that are keeping up with this, it is an absolute dumpster fire right now. And that industry as a whole, because what we're seeing is a brand-new technology with people that already, they didn't have the security foundation understood when they jumped. And you're taking on more and more digital assets. So we're increasingly get getting away from physical assets and moving into the metaverse, as you said, Kristina. So unfortunately, with that, you have to have fantastic security hygiene and people just don't. And so, if you go look up and you type in crypto scam or crypto breach, there are far more breaches happening in that industry than anywhere else right now. And it's largely due to the fact that people just have no idea what the heck to do and how do they protect their JPEG, or how do they protect this random currency that they just read about on the internet? So, it's a weird world we live in.

[00:07:25] KRISTINA: I've heard you say that you believe that better security equals faster growth. Talk to us about that a little bit, because we are seeing a lot of these Web 3.0 based companies going through tremendous growth. Do they need security now or can they bake it in after the fact?

[00:07:41] TAYLOR: Oh, that is such an interesting question because I would answer it in two different ways, depending on what you're talking about. In your context with Web 3.0 I think what we're seeing right now is a very unregulated industry. So, anybody and their mother could go spin up a new cryptocurrency for example, or a new NFT project. And there is no validation to the credibility of those individuals or those groups. And there's also no governing body. So even the data privacy industry in the U.S. is very laggard when it comes to just protecting data in general. So now you exacerbate that problem when you have an entirely new industry that nobody is regulating. And so, you have this this crazy shift where entire businesses are being spun up with little to no security and their entire premise relies on security. They have some kind of asset that needs to be protected, that goes beyond your identity. Tons of, of data breaches around NFTs where you're losing that asset forever. I mean, the decentralized market is a blessing and a curse in this regard. And so, you've got these web 3.0 companies that are spinning up are not encouraging security, not offering security, not protecting their customers in any sort of way. And there are a lot of people losing a lot of money right now.

[00:08:53] KRISTINA: How can organizations ensure that their data is protected and relay that fact to their consumers? Because to me, when I think about something like security, it's kind of hard to validate that a company has protected data and their practicing good cyber hygiene versus somebody who's just flying by the seat of their pants?

[00:09:12] TAYLOR: Great question. So, I, I think there's a two-pronged answer here. From an organizational perspective one thing I try to educate on is that security is not as hard as people make it out to be. You don't have to go invest a ton of money. Typically, it's more just understanding the data that you're collecting, of course, and then the assets that are storing that data. A lot of customers or a lot of companies rather don't even have an asset inventory. They don't even know what assets they have. How many SAS tools am I using that store customer data. Whereas my cloud environment resides and, and what am I doing to protect the data within there is my data even encrypted. There are some basics there. We've got this huge shift to cloud, which is fantastic in a few ways, because it's easier than ever to adopt security, but unfortunately people are not even doing the basics because they don't understand the technology they're adopting. So, we, we deal with a lot of AWS and Google cloud customers and they're not even turning on encryption of some of their production buckets, where their data is being stored. So, it's very, very important to understand the technology you're using. So, you know how to build controls around it, to be able to protect it. And again, I want to reiterate that it does not require you to go buy a bunch of fancy tools. There is pretty much every SAS application out there today when you're running it from the organization on level, you can set password parameters, you can establish access control, you can set up monitoring and alerts. People just don't do it. So going into your settings, going into that security tab, figuring out what you have on and what you have off and consolidating all your efforts, there would be a great start. And then on the individual side, when we're talking about Web 3.0, this is going to require individual security hygiene, because right now there is nobody holding it accountable, as we mentioned. And so, I think that it's important for the individual to understand, Hey, I need to go and validate the credibility of what I'm about to invest in. And then I also need to protect my assets. So we're, we're working on right now, an entire online course for Web 3.0 security for individuals. And it's pretty cool some of the things you can do, the basic foundations of how you protect your NFT wallet and how you protect your crypto wallet. There's a lot of overlap between industries. The multifactor authentication is still very effective, even in the new web three world. And then you can really start to go more and more advanced in investing in an encrypted drive storing your passwords in completely different places so that you have to combine them in order to get into an account, setting up anonymous IDs, that sort of thing. You can really nerd out on this, but the moral of the story here is that as a, as an individual, it's very, very important that you understand your security hygiene, because nobody else is going to protect you in the near term when it comes to web three.

[00:11:54] KRISTINA: So, whether it's web three or if it's plain old, I'm going to buy myself a pair of shoes from nike.com, there's a level of security. Let's say, a basic level of understanding and insights that consumers ought to have. And yet, when I was talking to my son about our interview today, you know that you and I were going to sit down and chat. He said to me, oh, ask him, when are they going to stop teaching us keyboarding in middle school. And when are they going to start teaching us cybersecurity? And so that's a question he has, and I'm wondering, it's great that you're creating these courses around Web 3.0 and what we need to know. And I pray that everybody's going to start taking that course. But in the meantime, how do we shift society on the whole to start thinking towards like ways of ensuring security and being an active participant?

[00:12:42] TAYLOR: You'll have to have your son call me when he is ready to jump into the security industry. I like him already. So I think that in short, this is going to sound a little negative, but unfortunately, as a society, we are very laggard in teaching ourselves a lot of fundamental skills. And I think that we're seeing this trend in the education space where we're learning a lot of skills that do not help us whatsoever. We haven't caught up with the fact that technology is so prevalent in our lives, that there are a lot of skills that we learned 10 years ago that just don't apply today. And so I would love to see a basic foundational security course. I think that unfortunately, even the school district doesn’t have basic security hygiene. So how could they ever hope to go and create a course? I think that the push is going to have to happen outside of school. It's going to be a part of this whole unschooling trend that's going on, where, where people are learning on the internet and they're learning outside of a governed school entity. And so, I think that is where we're going to have to push our kids. We're going to have to have adults that are educated, and that security is important. And there must be resources that we push to our kids to help them understand the foundation. I also think that this is a huge market opportunity. I think that there is tremendous growth potential in educating. Just the modern human being around basic security and applying a lot of those organizational best practices that companies are paying lots of money for through consultants. And applying that to your personal hygiene

[00:14:09] KRISTINA: Taylor, one of my clients used to say fraught with opportunity and that was what was going through my head. I'm like, you know what, you're in the right place at the right time. The world is fraught with opportunity. I'm grateful that we have you, and that you're creating these new services. I think we definitely need them, and the timing is right. And so it also makes me think about a lot of startups. So, what's really interesting to me when I'm looking at some startups these days, they have these really, really impressive ideas, things that I couldn't even imagine. Especially as we talk about the Web 3.0 space and yet one of the things that nobody taught them alongside with keyboarding in middle school was if you're taking on a certain amount of risk, you're still going to be acquired as a company, you just might be devalued. So talk to me a little bit about your experience with startups and what can startups or companies looking to be acquired do, what are good cybersecurity practices that they can adopt in order to ensure that they get really good value for their money if they're looking to get acquired or they get that VC funding, if they're going after investments, what should they be doing?

[00:15:11] TAYLOR: Probably the most passionate aspect of my job is that I get to work basically solely with startup founders, and we are embedded with startups of all shapes and sizes, but we've been able to go through this exercise of either a merger acquisition, or going public and it's so amazing, but it's also so scary to see how advanced their technology is, their product is their offering. And yet how sometimes so lagar they are in insecurity. And I use that word lagar so much, but it's just the best descriptor to, to talk about here. But the cool thing is, I am seeing this trend where founders care about security more than the average small business. And so, they are at least seeing that, Hey, I need to invest in this early, mostly it's because of the altruistic desire to protect their customers, which is really cool. But oftentimes it's also to generate sales. I think that the biggest misunderstanding is what kind of security do I need when I get acquired? When I merge with another company, when I go public and there are absolutely implications there, I think what we're starting to see is that VCs and private equity groups, especially, you're starting to very much ask you, what is your security posture? They're conducting what we call gap analysis, which is just basically making sure that we were asking a bunch of questions about security posture to figure out how risky that investment is. And so, I think what startup founders and beyond need to understand is that if you want to go down that path, the investment in security is basically mandatory. And so, what we encourage folks to do is typically take on a foundational security framework. So, CIS 20 is surprisingly very effective. You really want to nerd out, not many people know secure controls framework, but that's like the crème de la crème of, of security controls out there. And it's ranked by criticality. You can just take those and bite size pieces and start to implement those best practices. We also encourage folks to invest in a tool that allows them to kind of basically brandish their security to the world. So, we work with a lot of great companies, Drata, Tugboat Logic, Secureframe, Hyperproof. They all have these SAS offerings where you can hold your policies, your procedures, your controls, and show what you're doing to meet those standards. And then you also have the ability to share it essentially with your customers and your prospects. That's going to be very important as well when you start to talk with private equity or, or an acquirer.

[00:17:35] KRISTINA: I need a team of 15 to 20 people, or I can make it with five. How what's the ideal number of people I need, because it sounds like it's a really broad range of folks and a lot of them?

[00:17:44] TAYLOR: I so very biased opinion here, of course, but I strongly believe that this whole shift to you have to hire a full-time CISO and then you have to have an entire security engineering team, I don't think that is effective and it doesn't make a lot of sense for customers that are typically 500 employees or below. We say a thousand, I guess the 500 a thousand is a little more of a subjective area depending on your growth and in certain factors, but definitely under 500. I think it is actually counterintuitive to go and invest in a bunch of full-time resources because you are moving so fast that oftentimes those full-time resources, they've seen a couple IT environments shops in their career, they've managed a couple shops. And so you're having someone with very limited experience or very limited exposure and often that hinders you in growing your security program. So in our case, what we do is build scalable security teams to where you can have a security team on subscription. You can very much get by with just consultants. You can get by with part-time. It just depends on their experience and their effectiveness. That's really what it comes down to. This whole, like, you have to have someone 40 hours a week, working on this all the time and as you mentioned, Kristina, do I need five or do I need 10? It's really just the experience of people that have done this before. You can get this stuff done a lot quicker than you would think, people can get ready to get their SOC2 certification in a matter of a couple months, they can get ready for an IPO and in a few months as well, it doesn't have to be a multiyear investment in a multiyear project.

[00:19:21] KRISTINA: If somebody's looking to go out and hire a team, because they're not going to grow one internally and it doesn't sound like it makes a lot of sense to do that, especially if you're coming, if any is under 500 people, what are they looking for in terms of skillset? You mentioned experience what else should be kind of top of mind as they're interviewing consulting partners, to help them out with us?

[00:19:40] TAYLOR: To clarify experience, I mean, both experience in security as a whole and experience with customers just like them. So just customers, just like you, the listener, that you want to make sure that the folks that you are hiring have worked with similar customers, you don't want to go hire an enterprise consultant if you're a startup of a hundred employees and, and unfortunately, a lot of consulting firms take on the approach of I'll take anybody with a pulse and they have customers of all walks of life and they're a Jack of all trades and a master of none. And so I think it's very, very important to dial that in first is that's what I mean from experience. And then I think that also, in terms of the knowledge around where you're going. You want to make sure that the folks that you're hiring or the individual that you're hiring has the ability to set strategy with you. You don't want to hire someone that just comes in and takes orders because you don't necessarily know what you're doing. Right? You're hiring the experts to be able to help with that. And so, hiring someone that comes in and only does what you tell them, and doesn't have the experience to be able to build out strategy of saying, Hey, I want to go public in the next two years, what do I need to do? You need to make sure that the person or the persons that you're bringing in has that experience. I think those are the most fundamental aspects. I think the last thing I would say is talking to references, but when you are talking to references seen if the company that you're, or the individual that you're looking to hire has the experience to use modern technology. This is something that is insane to me. We both come from large companies, Kristina, and the types of tools that they use are archaic. I think that, unfortunately not, unfortunately I think fortunately for, for folks like us, that we we've, we know how to embrace technology, you have to have that ability. Startups especially are adopting new SAS solutions. They are adopting new ways of doing business sometimes by the week or by the month. And so, you want to make sure you find somebody that can adapt and already has the wherewithal to be using modern tech.

[00:21:41] KRISTINA: Especially in a startup environment, startups tend to be so much more fast paced, obviously, than the traditional corporation. They tend to work weekends, evenings, holidays but they also tend to not want to slow down, and cybersecurity sometimes is seen as a hindrance. Definitely snoozefest. Anytime I say cybersecurity to people, they're like, oh no, you're going to come and tell me to do one of those crazy modules where I have to click next, next, next, and do my training and get like a 70% score. People are just running away from that kind of stuff. You've said before it's not all risk in no play. It could be a fun environment. We can do a cyber positive program. If you will tell us more about that.

[00:22:24] TAYLOR: I love this question because I certainly think that the day and age of security awareness training in the traditional sense of it exactly as you described is largely dead. I think that also has hurt the industry and hurt the image of the industry, because people are probably more hesitant to invest in security, thinking that security consists of a bunch of compliance that's making, that's preventing them from doing their job and doing a bunch of things they already don't like to do. That's unfortunate because I certainly think that is not the only way to achieve success in security. What we like to do personally, is investing in more gamifying alternatives to security. So, there are security awareness trainings out there that are way more engaging these days, that gamify the entire approach there's solutions out there that will use fishing simulation as literally computer games that you have to play. And when you fail it, doesn't announce that to the world. It has, you play a game, and it has you go through an engaging learning simulation that is not a slideshow presentation. We see that being really cool. I think that there's also ways to automate security to where you're taking away the human error element. So, investing in better email security than just your stock email security offerings in Google or Microsoft, I think that there are ways to where you don't even have to give your employee the enough rope to hang themselves in regards to getting a malicious link, when you can have a tool that prevents that from happening ever, or at least alerts them. It's surprising to me that companies aren't investing in those more fundamentals, because that's where all the breaches happen. I would say finally getting people engaged on security and rewarding them for that is also extremely important. I don't think that enough people or enough organizations are in investing in, hey, you know, you are doing a fantastic job of security. Here is a gift. Here is a security awareness month incentive, there's just so many ways you can get creative. There's escape, room, security trainings. There's just so many cool things. Now I know I'm a security nerd, so maybe none, all listeners think this is cool, but I certainly think that there are plenty of ways that you can avoid the slideshow trainings and still get an engaging experience.

[00:24:36] KRISTINA: I'm personally getting really excited about this thought of doing an escape room or anything else, except that one video that requires me to acknowledge that I'm still awake and I haven't dozed off as I'm looking at, Pamela test Joe's knowledge of security. And should he open the email or not? I hope more organizations adopt exactly that posture that you mentioned. In terms of new risks, tell us a little bit more about new risks, because you said a lot of the breaches that are still happening, are happening for things that we can actually control for. There are things that can actually be prevented, but where is the majority of risk these days? Is it in things like 5g or is it still in the gosh, I forgot to password protect my AWS console?

[00:25:17] TAYLOR: So, this is a, a very important topic as well, because I think there is a lot of fear, uncertainty doubt in the industry and people think, oh my gosh, these hackers are manipulating the most obscure vulnerabilities. And I have a million vulnerabilities in my app and I'm so doomed basically is the mindset that's being put out in the market. And in reality, when you go look at credible sources like cisa.gov just released a very comprehensive breakdown on where the most vulnerabilities are happening. And you see that also happening with IBM. IBM released a lot, Align released their compliance report. There are all these credible resources that are showing, hey, in reality, security risk is happening from the same three basic areas. So, ransomware is a huge one. And in reality, startups actually don't have to worry about ransomware as much just because of how their environment is structured. But large organizations that are still hosting very much on prem and are very much still in the old ways of running security. Still very much have to worry about, ransomware, but there is also cloud misconfiguration, which I'll touch on in just a sec. And then human error, which is just the clicking on bad links, getting smishing texts and all of the attack vectors that you've probably heard about to. I think really with your listeners, Kristina, the two biggest areas I would invest in are anything related to human error. So really mitigating the risk of someone clicking on a bad link and somebody using bad passwords. And there are a few great resources in that space to, to largely prevent that. And then cloud misconfiguration, if your entire business model is to provide a SAS solution that is hosted in a cloud environment, you should probably invest in learning at least the basics of security cloud configuration, because misconfigurations are really where a lot of these breaches are happening, Okta, SolarWinds, just to name a couple. They are definitely huge investors in security and unfortunately it all came down to a misconfiguration in their cloud environment.

[00:27:20] KRISTINA: That always surprises me, shocks me, but points me back to the fact that it's all about the people, right? That's where it's at. It's at the human level still. So, Taylor, as we wrap up and everybody thinks about all of this great information that you just shared, there's a lot to process there. What are the three things you hope that folks will step away with and change or do differently, or at least go back and check in their enterprise, whether it's a really, really small startup on day three, or whether it's a 450 person company who's getting spun up and ready for an IPO, what is it exactly that they should go back and do right away?

[00:27:59] TAYLOR: The first thing that I would say is very much take on the mentality that security is important, both in your individual life and at your organization, no matter what your position is. I think if people can adopt better security hygiene in their personal lives, it'll very much carry into their organizations and that's just going to create a better work environment. I think a second thing that people need to understand is just go no matter where you're at five employees startup, 500 employee, small business or medium sized , I think that you should understand what your tech stack looks like today, and who's managing security. So just having basic asset inventory, having basic security hygiene in place, that's documented that's a huge portion of it. And I don't mean a policy that says our password is eight characters long and has complexity. I'm talking actual controls that you have audit logging enabled for your database layer and your OS layer and your network layer, that you have your password complexity and forced across every critical application that you use. The list seems intimidating, but it really in reality is, is not very hard to go and implement. And I would encourage people to check out like the CIS 20 is a good starting point. And then I think the third thing is ultimately going and understanding what your aspirations are as a business who you're selling to, what you hope to accomplish. Are you planning on selling? Are you planning on going public? Are you planning on just coasting, what industries are you selling into? Are you seeing a shift in that industry for more demands regarding security, helping to understand that and where you're hoping to go will help you plan out a lot better where you need to be investing in security and how much you need to be investing in security. If you're seeing, hey, I'm selling into financial services and insurance, and I'm getting hit with security assessment questionnaires every single week, I think that's a great sign that now is the time to probably just get ahead of this. There are some really cool ways that you can brag about security, whether it's putting a really cool security page on your website or it's creating a cool marketing slick that you deliver to every single customer through the prospecting phase. I certainly think that getting on, I see some business leaders getting on podcasts and talking about security, even though they're not in security, they are showing how they go and invest in security and protect their customers. All of those are huge brand builders. And I encourage folks to focus on that and not look at security as a purely a cost center.

[00:30:23] KRISTINA: These are awesome tips. Taylor, it has been so much fun to talk to you. I'm so excited. I feel like we should all be able to go out and continue to build trust and brand loyalty as a result of all of the knowledge you gave us. So, thanks so much for being with us today. Appreciate you sharing all your insights and tips.

[00:30:38] TAYLOR: Thank you so much, Kristina. Thank you for the listeners for taking the time. Please connect with me on LinkedIn. I'm always here to nerd out about security and compliance.

[00:30:48] OUTRO: Thank you for joining the Power of Digital Policy; to sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.