The Big Security Topics of 2019 (Security Experts Panel: George Gerchow, Davi Ottenheimer, Tricia Howard)
Ben: Welcome to Masters of Data, the Podcast where we talk about how data affects our businesses and our lives and we talk to the people on the frontline of the data revolution. And, I’m your host, Ben Newton.
It can sometimes feel like we’re living a really scary world today. We’ve been happily searching away on Google, Instagramming our life, and sharing on Facebook. All with an expectation that we have some control over our own story. It’s not like we don’t know that there are some big brother action going on, but it doesn’t really penetrate the veil of our everyday work in our personal lives. It feels like that’s changed now for a lot of us.
The revelations of Russian hackers influencing our election, Facebook data being used to manipulate our voting patterns, and an endless parade of stories about yet another company being hacked, and offering us the pittance of credit monitoring software to make up for the loss of our personal information. It’s in that context that we’re going to talk to George Gerchow today, the Chief Information Security of Sumo Logic.
George and I did this interview during one of the biggest security conferences on the planet, RSA, and in the midst of a lot of noise about data privacy. In particular, a lot of people are talking about the new privacy regulations coming out of the European Union, the General Data Protection Regulation.
So, let’s dive in.
Thank you for coming on the Masters to Data podcast. It’s good to have you here.
George: It’s my pleasure. Like I said before, Ben, any chance to get to work with you is always great. We’ve worked together now for three years. Isn’t that crazy? Three plus years.
Ben: It feels like 10.
George: It sure does. It sure does and a lot of that is probably new, but it does feel like that, but either way, it’s been a pleasure and I’m glad to be here.
Ben: Well, thank you for coming on and you are the Chief Information Security officer at Sumo Logic, and a lot of things are going on. Maybe you can talk to me a little, George, about how you came to be where you are. You’re working in security at one of the cutting-edge companies in Silicon Valley. How did you end up where you are? Where did you start?
George: That’s actually a really good question, something that I like to talk about. So, I was at VMware where I came through in acquisition and I was a double boomerang at VMware, which means I was there twice within four years, so that’s why they call me a double boomerang. And, when I was there, I enjoyed my time that I run the Center for Policy & Compliance there where we did heavy content around security and compliance especially related to this fear and cutting-edge workloads.
Because think about where we’re at now, we’re a cloud-native company. We’ve built on microservices. Well, VMware is there 10 years ago. They were the bleeding edge of technology at the time.
And so, an interesting thing happened to me thought. Right around 2014 or so, everyone was talking about AWS and everyone started talking about cloud, and security people like me were actually telling people not to go to the cloud because the workloads would be unsecure.
In fact, I had a saying, Ben, that was called “if it’s core, it stays on the floor”. And, people yell that out to me all the time now. I’ll go to a conference, they’ll be like, “Yeah, cloud! Yeah, great! Microservices CI/CD.” And, some people would be like, “What happened to it’s core stays on the floor, Gerchow?”
And so, I wanted to work for a bleeding edge company. Like you said, I wanted to be in the Valley, and the opportunity at Sumo came up to work with great people, and so I took the job and I have no regrets.
Ben: As part of you being a Chief Information Security officer, from everything I know, data is the lifeblood of security. And, we were talking a little bit before about how really important data is to what you do. Can you talk to me about how data is part of you every day?
George: Yeah, absolutely. And, you just said it, it’s not just lifeblood, we call data currency. That’s what we refer to it in security. It’s like data is the new form of currency. And, it’s such a great point because in the past, you would have to do security half-blind. Your budget was dependent upon how much data you could gather. You’d be like, “Oh, you know what, I can’t afford to get those logs, so I’m not gonna get them and so I’m gonna do my job and my team will do my job half-blind.”
So, now, we’re starting to move into this position to where the more data we get, the more resilient we can be. We can do historical information with current analysis in the future trends based upon that data. So, the time is actually now to be able to build data links and start really investigating a multitude of data across different types of workloads.
So, you’re right, it is lifeblood, it is currency without a doubt.
Ben: Well, George and I are actually getting ready to go on stage in not too long.
Ben: We will talk about data privacy. We’re at the RSA Conference. And, it really encouraged to me. We both were talking beforehand, we love to listen to MPR, we love listening to news. And, one of the things that’s been coming up in the news a lot recently is about data privacy. And so, I love to talk to you a little bit more about that. What do you see from your side has really changed about data privacy in particular in the last couple of years?
George: I think people are becoming aware. People are starting to realize that every motion on the internet is data that’s being gathered about you to either market to you or to hack you. And, sometimes, it’s both of those. And so, it goes way beyond the enterprise. It goes down to just personal use. If you look at how cool it is that you’d be out with your kids somewhere or your family and then you check in on Facebook somewhere and tell the world, “Hey, look how cool my life is. I’m here with my family doing all this stuff.” All of a sudden now, that’s being used against you.
Before, it was, don’t check in to certain locations because then people know you’re away from home and they can rob your house. But now, it’s also, people know how to market that to you, how you’re using your data, how your family structure looks like and it’s pretty scary, and then that information is being sold. And, a lot of it starts with the current administration, not to be too political, but the fact that now the current administration today is allowing these telecom providers to sell and use your data as well too, that’s really, really rough.
So, you’re seeing more things from a security threat like Tor Proxies. So, people calling users my parents who are in their seventies are using Tor Proxies to be able to protect their identity…
Ben: Well, tell me a little bit more about what that is because I’m not sure everybody know what that is.
George: Yeah. So, a Tor Proxy is a way of masking your identity. So, it’s like being behind of VPN within a VPN. And so, by using that, before when you saw a Tor Proxy pop up like Sumo Logic, we were able to detect with some of our threat intelligence information, “Hey, this person is coming in to our proxy,” it was something unique. It was either someone who has malicious intent that was trying to keep themselves anonymous or it was just someone who was a security professional that was trying to be anonymous.
Well, now, you’re seeing everyday users do it because they’re trying to protect their identity, which leads me to GDPR. So, GDPR I think is necessary because now it’s…
Ben: Well, what does that stand for?
George: Yeah, so, it’s Government Data Protection Regulation, it’s what it stands for and it’s under privacy though. All this starts and ends with privacy. Privacy is what everyone on the planet cares about. GDPR is just the beginning. Japan just released their own version of privacy X. Everyone is starting to go down this path.
Ben: Now, GDPR is a European thing or is that a bigger?
George: Great question. It’s huge. It’s worldwide. Because if you do business with any country or any company that does business in EMEA or have partners that do business with any companies or customers in EMEA, you’re now held under the regulation.
Ben: Wow! I didn’t realize that. So, it really does have a pretty wide effect. And, that’s about they come into play now officially very soon?
George: Yeah, May 25th of 2018 is GDPR D-Day.
Ben: So, people are freaking out I assume.
George: Yeah, you’re exactly right. That’s so funny because Jen Brown who’s our DPO and she’s just awesome.
Ben: What’s a DPO.
George: Yeah, so it’s a Data Protection Officer. And so, depending on how you do business, how large of an organization you are, you have to have one appointed. So, let’s get back to that in a second because I wanna to talk about the other point you brought up, which people are freaking out. So, last year, Jen Brown, our DPO and I were like, “Man, how come other people aren’t looking at this? How come other people aren’t looking at all the different articles, going through their business processes, handling of data and then the DPA, which is Data Protection Agreement,” which we’ll talk about here in a second. And then, we both said, “You know what, wait until January 1st, 2018 and then panic is gonna set in,” which is exactly what happened.
Ben: It does seem to be coming up a lot more. I don’t think many people knew what it was just a few months ago and now it’s all over the internet.
George: It’s exploding. So, I don’t know if you know this or not, but we created a self-service portal at Sumo Logic. The self-service portal allows prospects and customers to come in and answer their own security questions. They can look at our certification association results on there under NDA. So, it’s under NDA wrap, but we also put a DPA in there, which is a Data Protection Agreement to where they can download it, sign it, and then it goes back to our legal team. That DPA is by far the number one downloaded document at Sumo Logic and it’s only been alive for two weeks. We had over 160 prospects and customers without any outside publication or training really on it and the DPA by far is the leader.
Ben: Wow! Well, I didn’t know for me personally, I have definitely been hearing more about this recently because of everything that’s going on in the public’s fear. Zuckerberg was in front of Congress thinking about hackers, people misusing data from Facebook. Honestly, it’s getting a little scary. How do you see that from your perspective doing what you do?
George: Yeah. So, for us, you’re right, it’s scary because what I wanna do ultimately is you’re a customer of mine. Even though you’re within Sumo, you’re a customer of mine, so I wanna make sure your data is protected, our customer’s data is protected. We had a real advantage because everything in our environment was encrypted anyway. But then, we’ve had to do some tech things that go beyond that. Things like DLP or Data Loss Prevention, which is something we didn’t have before. Things like really going through with every line of business whether it’s HR or whether it’s marketing and going, “How do you handle data?”
So, think about from an HR perspective, we’re hiring in AMIA. So, all of a sudden we have someone from AMIA that’s coming on board, what is your process for those applicants, that applicant data protecting that data, which all of us leads to the most hardcore part of it, which is right to erasure.
Ben: Going back to something you had said before too, it seems like part of what’s going on here too, well, there’s a growing recognition to this. Because I listen to some of the excerpts on NPR [Phonetic] about the Zuckerberg interviews and it just amaze me some of the questions that are being asked, but I think it’s representative of the wider American community. I don’t think many people really understand this at all. They don’t understand what they’re giving away and what they’re putting themselves at risk for.
George: It’s not free. I’m doing quotes right now. And look, here’s what I’ll say. I’m gonna give the younger generation a ton of credit right now because the younger generation, teenagers, notice this trend a few years ago. So, they were on Facebook when they hit a certain age because their parents were and they wanted to see all the cool things they did growing up. And then, they were like, “Facebook is not for me because there’s just too much information. My parents can see everything I’m doing. I’m going away.” So then they went to Instagram, then Facebook bought Instagram.
Now, they’re all on Snapchat and Snapchat was really created around privacy. So, I’m a Snapchat user because my kids are on Snapchat and you can actually tell if someone does a screenshot of one of your snaps.
George: Yeah. And, you can’t tell who’s watching your video, your snap. Anyone else can’t. So, being a third party even though you follow me, you can’t tell if someone else is liking my stuff or seeing it. It is based on privacy. So, I think kids, younger kids today are already getting this notion to where as adults, we’re learning this lesson the hard way.
Ben: Yeah, and it does reminds me of hearing the interviews and Orrin Hatch asking Zuckerberg how they made their money, what their business model was. “Sir, we sell ads.” I don’t think he’s the only one that doesn’t realize that. I think that’s really fascinating. These younger kids have grown up under this being connected 24/7 pretty much their whole lives now.
George: Yes, their whole lives. And so, if you take this back to the enterprise now, it’s almost the same thing. Look, whenever you and I like in fact when we were talking about this, you were kind enough to send the invitation, we did it via Slack.
George: So, we’re leveraging Slack, we’re leveraging email, we’re leveraging text messages at work. All these different communication mediums that we’re using and where is that data going, how is that data being protected, who can use that data, who can resell that data. There’s a lot to be considered there.
Now, here’s another thing I’ll say about that, which we’ll talk about tonight. When you’re doing business with a vendor, stop and think about that in the enterprise. Whatever vendor it is, you’re giving up information to those vendors. So, what does that information look like? Is it really PII? Is it PII that fits into GDPR? Or is it nation state PII that can fit into the U.S. Social Security numbers and everything else? It’s just so complex and especially with how much data we’re getting today, which you’re an expert in. Your whole job is metrics upon data. That’s what you live and breathe, and you know that the amount of these data buckets is ridiculous from these different data sources.
Ben: Yeah. No, absolutely. I always love that metric that’s been quoted. It’s something like by 2020, there’s gonna be 16 zettabytes of data and that’s like watching the whole Netflix catalog 30 million times back to back. It blows your mind, but then there’s not. You and I had been in this industry for a long time and the slapdash way that people still handle their data is both ridiculous and frightening at the same time and we had to say…
George: Well, it goes back to what you said, a lot of people just don’t know. It’s a generation thing. It’s an education thing. It’s even like what I said in the beginning. It’s funny to me that one of the things that have instilled in our team, one of our mantras is agility. Who would have thought that a security team would say we have to be agile? And, the reason why we have to be agile is because there’s so much data coming at you from so many different data sources and you have to automate all of this privacy and technology functionality on top of it just to be able to keep up with it. It’s insane, but I do believe that. I believe that security teams today have got to be agile.
Ben: Oh. Well, as part of that, tell me a little bit about where you think this is going. And, I’d say answering in two ways. First of all, how do you think this is going from what you do every day? What are some big changes and trends you’re seeing? And then, secondarily, talk a little bit more about this in general about privacy at the… let’s call it at the public level in terms of policy or whatever. Talk to me a little bit more about that.
George: Sure. So, the day-to-day right now is just gonna be really, really hard to keep up with all the emerging regulations. And, you may or may not care. Let’s face it. What you have to do is the second point that you brought up, which I love. I care about privacy. You care about privacy, but you may not care about an individual regulation that affects a certain part of the world. So, the whole idea is to build a deep mature privacy program, measure regulations against it, and then do a gap analysis on the risk of, “Do I accept moving forward into this regulation?” Or, do I just say, “You know what, it’s worth the risk. I’m not gonna remediate. I’ll get there eventually.”
But a mature privacy program sets you up for success no matter what the regulation may be, then you can do a gap analysis to remediation if you want. But the important part is just understanding the flow of data. That is the biggest thing by far. If you can get a handle on the flow and control of data, you’re gonna be way further ahead than most people, but this is not gonna go away to them.
And, that’s why like… again, one of the things I’ll say to you, you’ve got to automate everything, like that self-service portal, that literally automated an FTE, completely. So, in that way, when I go to the CFO and I say, “Listen, we’ve automated all this functionality, but we’re getting this much pressure coming in because of privacy.” Then, I can establish another FTE to automate some other things as well, too. Because this whole thing has got to be automated. You cannot have… again, if you’re gonna be agile, you can have manual intervention when it comes to privacy and protection of data.
Ben: Yeah. You got to apply the human intelligence and human experience at the right points, not in doing things that are basically repeatable.
Ben: And, it makes a lot of sense. And, tell me a little bit more about some of the public policy stuff that we’re talking about. Based on your experience, where do you see that going? Are we gonna see GDPR in the U.S.? Do you think things are really turning around? Because this is something people have been asking for a long time.
George: Oh, man, this is a political thing you’re asking me right now because I’m gonna upset some people. So, in some ways, the U.S. is way further ahead. I’ll give you a great example. Data breach notification, that wasn’t something that was instilled in Europe at enterprises. So, it was more, if I get breached, I don’t have to tell anyone because there was nothing like PCI, like SOX, or like HIPAA forcing it out. We’ve always been pretty good about that.
Now, there’s been a lot of companies in the news lately who have been slow about announcing their breaches. Well, for the most part, everywhere I’ve worked, we’ve had a data breach notification program. So, we’ve been pretty good about it. But I do think, I think this is worth telling and I hope it’s headed. I think there’s gonna be one common global privacy regulation that attacks PII no matter what nation you live in, and it’s got to be that. Because what we can’t do and we haven’t talked about this is cripple the way we do business of each emerging privacy regulation.
Think about Spain, man. Español, I love my folks out in Spain, but there’s like five different factions in Spain and each one of them wants to break off and start their own privacy regulation. Now, multiply that across each country in Europe, then multiply that across each country in Asia. Where are we gonna be at? It’s kind of like the way we work from a federal perspective to a state perspective. We’ve got to do more things at that top line level.
So, I think it’s gonna get worse before it gets better, but then eventually, there’s gonna be some overarching type policy.
Ben: Yeah, maybe it take something like these things that’s been going on with Facebook and the Russian hackers in election will really change how people are thinking about things.
George: Yeah, absolutely. It could be. So, public awareness is a good thing. We’re seeing it now in the media with things like Facebook and it’s just gonna get better from there. But here’s gonna be one of the parting thoughts I’ll leave you with. June 1st of 2018, somebody, and I hope it ain’t us and I feel sorry for whoever it is, is gonna get audited by the European Union via GDPR and it’s gonna be nasty, and we’re gonna learn a lot and the public are gonna learn a lot, and then we’ll improve from there.
Ben: Yeah. Well, George, I really appreciate you taking the time. As always, I love talking to you.
George: Oh, man, it’s great talking to you, Ben.
Ben: This has been a lot of fun. Well, thanks everybody for tuning in to Masters of Data. And, I look forward to the next podcast…
Government Shutdowns, Bug Bountires, and Ethics - what do these have in common? Our first live panel of security experts in 2019. We recorded this live in January 2019 and are now providing the audio for your listening pleasure on the Masters of Data Podcast.