Host: Hi, everyone. Thanks for tuning in to our Scale to Zero show. I’m Purusottam, co-founder and CTO of Cloudanix. Scale to Zero is a forum where we invite security experts to learn about their journey, discuss on security topics, and get answers to some of the questions that you have received from curious security professionals. Our goal is to build a community where we learn about security together and leave no security security questions unanswered. With that, let’s get into today’s episode. For today, we have Adam Smith with us.
Adam is the director of Cyber Governance, risk compliance and Privacy operations at Nu Skin Enterprises, which is located in Provo, Utah. Adam has been with Newskin for close to 20 years now. Prior to new skin, Adam has worked at Micron Technologies. Adam maintains a certified Information Privacy Manager and certified Information Privacy Professional Europe Credential as well. Recently, he has completed two years of volunteer work as well as a chair of Salt Lake City IAP Knowledge Net chapter. Adam, it’s wonderful to have you in the show. For our viewers who may not know about you, do you want to briefly share about your journey?
Adam: Yes.Thank you for having me on. It’s a pleasure to be with you all. As you said, my name is Adam Smith. I feel like I’ve been at Nu Skin too long now, but it’s a really great company to work for, and I’ve enjoyed it. Most of my time at Nu Skin was spent as an It systems analyst in their commission’s department. And then about five and a half years ago, I jumped into the world of privacy, and I immediately started learning about all of the obligations that Nu Skin needed to make to get compliant with the GDPR that was going to be going live in Europe in May of 2018. And that required me to become very familiar with privacy requirements, but also data governance, because I was going to be working on the data governance side of the department, and that would mean handling things like data retention, cookie consent, privacy notice, data subject rights, all of the obligations that many people are familiar with.
And then about two years ago, I completed a Master’s Degree in Information Assurance and Cyber security. And so I’ve been partnering with our Cyber Security and Information Security Department to embed privacy along with security in lots of other business domains, like third-party risk, the overall risk management lifecycle, etc. And so I really enjoy working in the field. If I have any regrets, it would be that I should have started all of this much sooner in my career because I’m much more passionate about this than I was about what I was doing previously, and I’ve really enjoyed it.
Host: Oh, lovely. That’s great to hear. So, yeah, thank you for coming on to the show and sharing your knowledge with us.
So the way we do the recording is we have two sections. The first section focused on security questions and the second section is around rapid Fire. So let’s start with the security questions, right?
And you highlighted that data privacy is something where you are very passionate and you are working on as well. So one of the things that we read a lot like many security analysts claim as well, is that human error is the biggest factor to data privacy. Right. And there have been many phishing attacks, social engineering attacks, to steal employees data and then using that to get access to the organization data. Like recently we heard about Twilio or Cloudflare.
What steps would you recommend to organizations to prepare for such attacks?
Adam: That’s a really good question. The first thing that comes to mind for me is training and awareness campaigns. A really big thing that we find successful is simulated phishing campaigns and then we can gauge the effectiveness of the different kinds of attacks.
What our organization needs of upcoming training and awareness on. We also find that it’s essential to make the training short so that they can be embedded into somebody’s workday and also not to where that they can continue working while the training runs in the background and then they ignore the content. Right. From the simulated training phishing campaigns we can understand kind of where our organization is in terms of their understanding and how we can cater upcoming content to them to make sure that we’re always staying ahead of the curve that way. Another important factor I think is to maintain proper communication channels so that people know if they come across the fish, they know who to contact and that it’s a very quick process. I think Outlook has some add on features that organizations can use or you can use teams channels or whatever. But the connection that the organization has with their information security department and their privacy department is really important because they’re going to be so much more likely to report a fish if they don’t feel like they’re going to get their hands slapped if they didn’t recognize it properly.
We want to make sure that we’re partnering with the organization as a partner, as one global team for example, as opposed to we’re experts and don’t bother us, that kind of approach. And so with the feeling and culture that we’re all on the same team trying to accomplish similar objectives, I think that’s really important. If I remember correctly too, with the Twilio and Cloudflare attacks, they took advantage of some connections and then attack B to B relationships, right? And so another thing that I’m finding is really important is that the broader employee base has visibility and understanding into what third parties we already have SSO enabled. And so if these phishing attacks come in, it should just be common knowledge that we have SSO with these vendors.
They would never be reaching out to us to reset a password, right? And so even though the domain might look correct or it’s very sophisticated looking. If there’s a broad awareness as to where SSO is enabled, I think employees should be able to recognize a fish very quickly and say, hey, this looks legitimate, but I really want to make sure. Can you guys take a look at this before I click on any links or anything else? I think that’s really important as well, to have a good solid inventory of third-party relationships and also where those SSO connections are enabled.
Host: Okay, so I think you highlighted few very good areas like the training and keeping it short. Otherwise you get distracted and you start working on something else, right? Like while the 1 hour video or five hour video is going on. So that is very important. And the knowledge base that you highlighted, right? Like employees knowing which systems we have integrated with, let’s say if we have not integrated with Okta, and you get an email saying that, or a message saying that you need to reset your password in Okta, then you might click on it, right? But if you already know, then you would be like, no, we already have that. So you don’t need to take any action or it’s a phishing attack. Maybe I’ll go to the right authority so that they can take action on it.
So this covers the sort of preparation part, right? Let’s say if an organization is going through an attack, how should they react during and after the attack?
Adam: I think there are some common principles that should apply to whatever organization, no matter the industry, no matter the type of data that you process. And some of those principles for incident, you should always have an Incident Response Plan in place. Without a plan, everyone’s going to be panicking and making rash decisions and they’re not going to make decisions that are in the best interests of the organization or the employees of the organization. And they could introduce more liability to the process, but also to the organization, but also to themselves. As we’re seeing with the Uber case where executives are now being held personally responsible for lack of cybersecurity preparedness. And we’re also seeing that in the privacy world as well as executives are now being personally responsible. So I think first and foremost, you have to have a documented plan in place. There needs to be an Incident Response Team as soon as the attack is confirmed.
I think you need to know exactly who to assemble into your Incident Response Team. And then having the Incident Response Plan allows everyone to make sure that they’re making proper decisions throughout the process, right? So as you follow the plan, there’s other principles involved, like transparency, for example. I think first and foremost, your data subjects need to be aware of any potential harm. So whether that’s a forward facing site or email communication, every organization needs to decide what works best for them. And it depends on their capabilities, how their customers or businesses interact with them. But there needs to be transparency upfront and they need to know what the likely harm is that could result to them as a result of this security incident. Right? And so having a plan and transparency in place is really important whenever organizations face a cyber attack or some kind of privacy incident where someone mishandled data, for example, whether it’s intentional or unintentional.
Host: Okay, so communication in a transparent manner has a major role to play in it. And having your plan prepared so that you know how to attack is not the right word, but how to handle those scenarios.
That touches a little bit on the data loss and stuff like that, right. When there is an attack, there is that issue. So one of the core principles of data loss prevention is sort of doing the labeling and tagging, right? And it’s not very trivial to do it at scale. And looking at the data that we generate nowadays, it becomes even more complex. And if you have multiple vendors, then it becomes even more complex.
So what metrics should organizations put in place to measure and monitor any data loss?
And how should they, let’s say, classify or segregate them so that they can prevent any data loss?
Adam: That’s another really good question. My first thought on that is to partner with other parts of the organization that will help you accomplish your objectives. And one organization that stands out to me is your infrastructure and operations groups. Assuming you’re a large enough organization where you have dedicated personnel for infrastructure and operations, they’re going to probably already have an asset inventory. Right? Then on the legal and compliance side, you might want to translate what those assets mean in terms of data.
On the privacy side, everything starts with a personal data inventory and a personal data flow map. You have to know what data you are collecting and processing, what the business purposes are for that, and the justifications and where the jurisdictions are of those data subjects so that you know what obligations you’re in scope for. Right. So when it comes to data loss prevention and tagging, you have to have those inventories in place so that you can properly say, what do we have? Where are crown jewels? Where do we kind of focus our attention on the max protection? But also if an attack were to occur in those crown jewel environments that introduce the biggest liability, how can we limit the blast radius so that if an attack occurred, we know that the attacker would be limited in terms of what they could access, how they could move laterally, or if they were to exfiltrate data. Is that data encrypted tokenized? Are they unlikely to be able to do anything with it? That kind of thing. And so those are some really high level principles. I think all organizations need to kind of adhere to when they’re looking at what our assets and data? And then what does that mean we’re subject to? And then how do we prepare in such a way so that if an attack occurs, our liability and our blast radius is kind of limited, so that we can kind of demonstrate to the people we do business with that we made plans ahead of time to protect them.
Because invariably, if you think cyber attacks will never happen, you’re setting yourself up for failure. They’re probably always going to happen, right? Right. And so you have to plan in such a way that the attackers might get ahead of you and successfully execute an attack. And then if you can demonstrate how you’ve planned to fail, so to speak, then that shows like you just build more trust with the people you do business with. And trust is becoming more and more a differentiator in any industry because people are looking for it now. They know that cyber attacks are on the rise. And so if an organization looks like they can give you X, Y and Z and provide so much value, if they don’t have trust mechanisms in place, a lot of times they fail the onboarding process before it even starts.
Because you have to have those trust mechanisms in place and sound responsible privacy and security practices. Otherwise people just don’t want to do business with you.
Host: Yeah, I totally agree with you on that. When it comes to data, like the crown jewels,, you cannot play with the trust, right? And you have to have built trust with it. And I think you had some very good pointers, like having the data inventory and the data map so that you understand which parts of the organizations you are working with, which vendors you are working with, so that you have a clear understanding in case of an attack, where to go and where to start from, let’s say your investigation, stuff like that.
One of the things that you highlighted as part of this is that there are different regulations for different, let’s say countries or different regions, right? Let’s say GDPR or CCPA in California. So let’s say there is an organization which is doing business in US. But also catering to EU customers, or there is an organization which is operating in California, but they have customers in US and EU. So you have to be compliant with these regulations like GDPR or CCPA.
What’s your recommendations to organizations who are aiming to adhere to this and how should they stay compliant to these regulations?
Adam: That’s another great question because getting started with these compliance frameworks, it’s not an easy process and it can be very complicated. And so we talked earlier about the need for a personal data inventory and asset management and a process register. If you have those things in place and you know what data you have, where your assets are, who you’re targeting in terms of doing business with, that becomes kind of the backbone of now let’s translate that into compliance obligations. Am I in scope for GDPR, CCPA, CPRA, China, Pipel, or Southeast Asia, that kind of thing? Depending on where your data subjects are from, that’s going to say, okay, now I have some triggers for these needs. Then if you can break down your data inventories into classifications and say, I’m collecting health data phi, so that might mean I’m subject to HIPAA, right? Or I’m collecting very sensitive personal data that might be considered special categories in GDPR. That brings a whole different set of obligations with it that need to be considered. So I would say when an organization wants to look and see if they’re subject to these obligations, I think the first step is to use whatever free resources are available to you.
For example, the GDPR EU website, they have a lot of great information on how to get started.
The European Data Protection Board puts out a lot of great think pieces, right? Or recommended best practices. The same with the state attorney general in California. Or you could hire an expert, like a consultant. A lot of times that will bring a lot more value than if you repurpose internal employees or try and change resources to all of a sudden become expert in something that they haven’t previously been expert in. So hiring a consultant can really get your head and shoulders really fast, and it might prove a lot of value to the business, right? And the consultant can teach you how to fish, not necessarily give you a fish, to use that metaphor, right? And the consultant will come in and say, here’s all the programs and mechanisms you need in place. We recommend staffing this group with these resources or this group with these resources, and the consultant can help you really get everything you need to have in place so that you can continue to operate, right? And so the free resources are great starting points and then consulting, if you feel like that would be the best case. There’s also third parties that specialize in privacy compliance.
I could name a few, but I don’t know if you want to plug vendors on this site. But there are vendors that are dedicated towards data inventories, data subject rights training and awareness campaigns, cookie compliance, and you can examine the vendors and you can buy software as opposed to build mechanisms which reduces technical debt. And it also might give you a lot of capabilities that you wouldn’t have had you built it internally anyway. So I think whether you’re choosing to be subject to some specific legislation, there’s always principles that you want to follow that those principles tend to underlie whatever jurisdictional law you’ll find yourself subject to. And those principles would be like the purpose limitation, making sure that your data that you’re collecting is limited to just that purpose. Minimizing the data so that you’re not collecting more than you need the transparency with the person. And then having an appropriate legal basis, and then making sure you have a good retention policies in place that you’re not retaining it longer than you need it.
I think those solid principles and then are really good frameworks to adhere to no matter what laws you think you might need to research and become subject to.
Host: So, yeah, you are spot on with some of your recommendations. Right. Start with the free resources. European Union has very detailed guides which can help you in getting up to speed, especially like where you highlighted. Right. Instead of sort of teaching your existing team to learn a new domain, get become an expert, maybe hire an external consultant who can help you with the initial initial process set up and everything. And then your internal teams by the time get familiar with the process and can help you scale. Right, so I love that as well.
So one of the things is now you have these regulations you have to follow, so you put the data governance and everything in place. Two of the major challenges with data governance is the quality control of the data. And as you work with more and more vendors or you have more sources of data, you have data silos.
So one of the questions that you have received from a fintech artefact is how should they approach these challenges and where should they start from?
Adam: That’s another good question. You’re giving me a lot of good questions today.
Host: Thank you.
Adam: I have worked a little bit in data governance groups, and when we’ve looked at tools in the past, they tend to have similar characteristics and the characteristics are breaking down. The silos really is done through visibility and awareness. Right? So I think most of the tools that you’ll find in the data governance domain or if you want to build it internally, would be to raise the visibility to the organization as to what those assets are. Like we said previously about building your personal data inventories or your asset management, a lot of times the inventories might not have personal data in them. They might just be company proprietary information or financials trade secret data, that kind of thing. But without an awareness as to where that data is and a catalog as to what’s actually in those schemas and those tables, then someone who might be wanting to work on other projects with this data doesn’t even know it’s there.
And so the silos are developed simply because people don’t know what they don’t know. Right? And so if the organization doesn’t have dedicated work tracks towards cataloging documentation referencing, and then putting those in consumable locations where the rest of the organization can grab those, learn more about them, see how it might benefit their project, not go out of band and request it from other sources that might introduce more risks to the organization. There are so many benefits to just raising the visibility as to what the assets are that we have so that all the related groups can benefit from them, not just the core group that needs them the most. Right, so cataloging logging of technical metadata. You can also have tools that will do stitching so that you can see actual lifecycle flows, where you immediately start processing the data from ingest and then you can track it all the way through the lifecycle and then implement governance policies that let you purge it at the appropriate timeline. Right, and then governance policies along the way that can monitor access control. And then you can embed privacy groups where, let’s say, for example, a data scientist wants to get in and do a project with I want to predict repeat customers, for example.
That means I have to get into the sales data and customer profile data and start building models that do predictive analytics on that data. Well, if privacy is not involved along the way, then that data scientists might grab all the data in a table when they only needed like these four data elements. And we may not have had the proper consents in place for that processing when we immediately ingested the data. And so, without knowing, someone in the organization who’s trying to add value to the organization has introduced risk to the organization and they totally didn’t mean to. Exactly. And it’s simply because we didn’t have the right visibility and mechanisms in place along the way so that they knew what the obligations were, the visibility, the cataloging and then all the necessarily governance policies, access controls, et cetera. Along the way is really important just to make sure we’re not introducing risk when we’re just trying to help the organization and provide value to the organization.
Host: So cataloging and building that knowledge base with the governance policies so that all the groups in the organization, whoever are interacting with the data, they know what governance policies are in place and following that, to the best of their knowledge makes a lot of sense.
So I think you touched on one area which is very close to my heart. It is how to work with the groups, which goes back to culture right, of the organization. And every company has a unique culture, like either engineering driven, sales driven, security driven.
So as a leader, what would you recommend to bring awareness and build a security or privacy focused culture and mindset in an organization?
Adam: That’s another great question. It has to start from the top down. So your executives, your executive committee, the board of directors, they’re responsible for the governance of the organization, right? Security and privacy have to be fundamental business disciplines. They just have to be. And when you’re building, like your mission statement, your vision statement, your values, your strategy, security and privacy have to be embedded at those fundamental groundwork foundational elements so that you can build off of them. And then when you build off of them from the foundation, then you can build KPIs OKRs and whatever else so that you can achieve maturity gains in cybersecurity and privacy practices. So if it’s not embedded from the top, which I consider the foundation, then it’s never going to trickle through the organization. Like it needs to into all the necessary business activities like training and awareness campaigns, or policies and procedures, or the lifecycle management of the data, that kind of thing.
Everything needs to trace back to what our core value is as a company. And that core value needs to focus on trust of the data subject. And you achieve that trust by maintaining the security and the privacy so that you’re not introducing risk and harm to those people. As far as how to keep that culture going, what I’ve found is champions or advocates programs go a long way to establish cross functional connections throughout the organization because they can get out of their own groups and teams and they can collaborate with other like minded individuals. And some organizations call these guilds or chapters or something and you can create dedicated teams channels or slack channels for the communication regarding these fundamental disciplines. And people can come to the table with their respective projects, like a data scientist, for example, or an engineer, or a product owner, or a finance analyst. And they can all say like and even down to HR, they can say, hey, here’s a project I’m working on, I think I might be using too much data.
What do you guys think about this? Hey, I established a new connection with a vendor and I noticed they’re not using OAuth or whatever. What do you guys think about this? And you all collaborate and then that results in trickle work back to somebody’s backlog and then the backlog will get prioritized and then the work will get remediated, right? But without those communication channels, you just never know what people need in terms of privacy and security. So those internal comms are really super important and then everybody staying up to date on industry best practices, trends like latest attacks, that kind of thing, raises everybody’s capability. So that as an organization, you don’t just have one specialist department in cyber or privacy. The whole organization is kind of growing together and maturing and being better. And then the last thing I would say on that topic is recognition. So if you have a formalized internal programs to raise that awareness, take the time to recognize people for their efforts.
That can be done through, like Lanyards Pins, shout outs on email, like a shout out to somebody’s boss. If they’re being evaluated on these practices, that becomes part of their evaluation, their bonus, their merit, and everything ties back to the recognition of the person. Then when you’re in a team’s meeting, you could call somebody out and say here’s something somebody worked on. There’s lots of little kinds of awards stickers like laptop, stickers, however you want to go about it, but there’s ways to properly recognize people so that they’re really motivated to be a part of these groups. Right, and I think that’s super important.
Host: Yeah, I really love the last part that you highlighted. Most organizations, what they do is they have a top down messaging and they have groups, the security guilds and everything, but they don’t do a great job in the recognition part. And that’s what keeps you motivated to stay engaged and do more of those activities. Right. So totally spot on on that. So that’s a great way to end the security section. And culture is one of the things that’s very close to my heart, and we try to follow some of these in our organization as well.
Here are a few points which stood out for me.
- Prepare personal data inventory data flow maps for teams to understand how data, particularly crown jewels, are being referred and used or should be used throughout the organization.
- For data governance, cataloging is important. Build a knowledge base to improve visibility and awareness of the governance process.
- Recognition is an important part of building a security or privacy first culture. It can be as simple as shoutouts or stickers or pins.
Host: So now let’s move on to the rapid-fire section.
So the first question is, if you were a superhero of cybersecurity, which power would you choose to have in you.
Adam: That’s a great question. When I was younger, I used to really like animals that were big and strong and tough, whether it’s a lion or an elephant or something. Ever since getting into cybersecurity and privacy, I’ve been fascinated by animals that have the ability to be invisible and to blend into their background, okay? And that could be like a chameleon or a rattlesnake or anything that just blends in. Nobody knows they’re there and they’re just doing business, and it’s an expectation that they might be there, but they’re not doing anything that really calls attention to themselves. And so any animal that helps me be invisible is great, and I don’t do that because I’m trying to. I just think people that put themselves out there that brag about their capabilities tend to be subjects for attack, right? Whether that’s somebody, like bragging about protecting their Social Security number and then hackers immediately going to want to go after them to prove that they’re not as great as they say they are. And so I want to be a sound, fundamental, capable cyber and privacy professional, but I want to be so good that people say, don’t try and attack that organization because their practices are very sound. And so another animal that comes to mind is a porcupine where if you try and attack it, you might get hurt. So that’s another animal that comes to mind.
Host: Makes sense. The next question is, what’s the biggest lie you have heard in cybersecurity when.
Adam: Working with technology groups, I’ve noticed that to save money, there’s usually another organization that does what you want to accomplish in much better cost effective ways. And so there tends to be a mindset of buy don’t build, because there’s probably a company out there doing better. What you want to do yourself in that buy versus build mindset or mentality.
I hear the phrase used a little bit that we’re actually transferring risk when you buy versus you build. Because if you outsource this, then you can put in place a data processing agreement, a joint controller agreement, and you can pass that risk onto the third party. And I don’t necessarily think that’s a lie, but I think at the end of the day, when people do business with you, they think they’re doing business with you, not the suppliers you use. If you choose to use a supplier that doesn’t have sound trust practices in place, you’re not mitigating any risk at all. Legally. You might have some liability protection, but your people, the damage you might do to your brand and your reputation far outweighs whatever liability you might be able to pass on to a third party. So I would say that’s one of the bigger myths that I hear in the cyber and privacy disciplines is that you can transfer risk to a third party simply by buying versus building, which isn’t always the case.
So you’re transferring the liability rather than the risk itself. Right. You’re using a tool, but that doesn’t make you risk free.
Host: Absolutely makes sense. So the last question is, what are the, let’s say, three blogs or books or websites that you go to to stay up to date on data privacy, data governance, and all those areas?
Adam: Oh, man, there’s so many. There’s a lot in the privacy world. There’s lots of research. There’s lots of third parties dedicated just to research, and they’ll take all the research and bundle it for you in such a way that it makes it really easy and quick to consume. And then there’s other blogs that are put out by actual law firms that make their research also easy to use. And so some of the one stop shops that I look for, the IAPP (https://iapp.org/) , the International Association of Privacy Professionals, they put out a lot of great research and best practices for global privacy. And I’ll put in a plug for a podcast that I really enjoy. Serious privacy is another great one. Love that. And then on the security side, some podcasts that I enjoy are Darknet Diaries https://darknetdiaries.com/ and CyberWire https://thecyberwire.com/podcasts/daily-podcast .
And then a book that I really enjoyed that my old boss gave me one year was this is How They Tell Me the World Ends. That’s a really great book. And then some security blogs and sites I like to follow are Wired, Bleeping Computer https://www.bleepingcomputer.com/ , and then Palo Alto and Cisco have some blogs that they’re always publishing up to date findings about the latest tags how to prepare for them, et cetera.
Host: Okay. Yeah. Thank you for sharing those. What we’ll do is, when we publish the video, we’ll tag these as well so that our viewers can get benefit out of this. Oh, great.
That’s a great way to end the episode. Thank you so much, Adam. This was very insightful. I learned a lot around data privacy, data governance, and how to prepare for incidents and stuff like that. For folks who might have more questions and want to connect with you, what’s the best way to reach out to you?
Adam: I am on LinkedIn. I think my profile is set to public, so you should be able to find me there. If not, you can send me an email at firstname.lastname@example.org That’s my work email, so personal email I could share as well. That’s email@example.com firstname.lastname@example.org . I don’t mind sharing that.
And if anyone wants to connect and kind of have a call or whatever, I’m happy to help people in their privacy. Cyber journey. It’s an awesome industry to be in. I couldn’t have picked a better one.
Host: Lovely. Yeah. Thank you so much for coming to the show today.
Adam: Yeah, thanks for having me.
Host: Absolutely. And to our viewers, thanks for watching. Hope you have learned something new. If you have any questions around security, share those at scale to zero. We’ll get those answered by an expert in the security space. See you in our next episode. Thank you so much.