The Data Diva E78 - Abimbola Adegbite and Debbie Reynolds

Show Notes

Debbie Reynolds “The Data Diva” talks to Abimbola Adegbite, Application Security Thought Leader at Jane.app. We discuss his journey into technology and his role at Jane.app, the importance of organizations understanding cybersecurity, his concerns about Data Privacy and Cybersecurity within organizations, the public misperception of hackers and the identity of real cyber threats, the relationship between Data Privacy and cybersecurity, the role of organizations as data stewards, aligning an organization's actions with their operations, an integrated approach is necessary to Data Privacy and cybersecurity, the importance of collaboration between teams,  and his hope for Data Privacy in the future.

Support the show

Transcript

44:03

SUMMARY KEYWORDS

security, privacy, data, application, organization, cybersecurity, cloud, policies, point, form, companies, customers, c level executives, role, situation, insider threat, service, compliance, big, product managers

SPEAKERS

Abimbola Adegbite, Debbie Reynolds

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds. This is "The Data Diva Talks" Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show, Abimbola Adegbite. I'm really happy to have you on the show. We had the pleasure of meeting, and we were on a panel together; we did a panel with Citrix Corporation. That was really cool what they did. So this is more about kind of cybersecurity and stuff like that. And then they obviously wanted to throw me in the mix with privacy. So it was really cool. So we sort of broach both of those subjects. But I really enjoyed being on the panel with you. And I thought you had really great insights. And so you are with your application security for the app Jane, right? So tell me a bit about your journey into technology and what you do at Jane.

Abimbola Adegbite  01:27

Okay. Thank you very much, Debbie. I don't think we have really spoken this year. But again, you can call me Abby for short. To answer your question. My journey into it was a really colorful one. Fun fact, I'm self-taught. Everything I knew about it today, I self-learned. I studied mass communication. And my my actual journey, my foray into it, started in 2011. I used to be a cameraman; I used to walk in front of cameras as a presenter. I also managed a hotel as an Identity Manager. And then, between 2010 and 2011, I was at this crossroads. Because in my country of birth, there is a compulsory youth service that you have to go through once you graduate from a higher institution. So it was at that point that an opportunity came up to learn about Oracle, Oracle EBS, E-Business Suites. And I took the journey down Southeast Nigeria to a state called Bayelsa. And then it was at that point that I can pinpoint and say I started my journey into it. Fast forward to 2014. I started out as a QA, I also self-learned. And then I grew in that position to testing lead. And it was at that point I was really appreciative of my manager during that period because he made sure that I was exposed to everything and anything that had to do with testing, security testing, performance testing, API testing, you name it, I was doing it all. And I moved to Canada in 2018. And the opportunity came in the form of a job, a contract role at IBM. And ever since then, I have not looked back within application security. And to the B part of your question, what I do at Jane, my current role involves working with development and product managers to prioritize security stories and requirements. And this is done in order to balance security and business risk, as well as privacy as well because you can't do one without the other these days. And we do all of this, or I helped to do all of this to deliver the most impactful improvements within the software development lifecycle. And I use something that I like application security OKRs, objectives, and key results. That way, the goal is there for everyone to see. And diverse value stream teams that we partner with the product managers, the development teams can key into that during their planning.

Debbie Reynolds  04:35

That's great. Thank you for that. That's really cool. I think, you know, you have such an important job. I don't think we've had anyone on the show yet. Who's done application security for apps. So I think being someone who has to not just do a regular network infrastructure,  you're at the forefront because, like all your consumers are, you have client-facing or out-facing the customer. So security is very top of mind; you want to attract people to the application, and I like the way that you have put it together, saying how you use objectives to make sure that the teams understand cybersecurity and what you're doing. Tell me about this one I love to talk to cyber people about is how do you get people within the organization to understand what their role is? How, why is cyber important, and what their role is in it? Because I feel like you hear in trainings and things about cybersecurity people tell people well, sort of everyone's job in some way, but that is so, so vague. So to me, if you say it was everyone's job, it's like no one's job. Correct? What are your thoughts?

Abimbola Adegbite  06:12

I'm glad to be the trailblazing application security person that you have on your podcast. So yay. That being said, making everyone aware of their rules their various roles in security is something that I do often. And the way I approach it is as a salesperson, you know, sales can be really annoying, sometimes and frustrating when you don't get your desired goal. So one of the ways I've been able to reorient myself is to say to myself that I'm selling security. It's a really fine art balancing security and customer delight, which is user experience. You have people; the general notion is that security is everyone's business. Yes, that's correct. However, you need to make people constantly aware; you need to keep telling them, oh, this is the role they need, this is how you need to play that role, just like a playbook, right? But think about a playbook where you do the fire drill exercises every day. And constantly reminding developers of their role within the software development lifecycle with regards to security, product managers, product owners, within the software development lifecycle, as people who would be responsible for helping to come up with security requirements and security stories, but with the perspective of the customer, most of the time, our customers are for people within application security, our customers our internal facing. But at the same time, we have to do that with the mindset of the end-user, right? Internal facing developers, the C level executives, and which I'll touch on a bit, the product managers, infrastructure guys, because it's with application security, you are at a unique intersection, right? You interface with privacy, net sec, cloud sec, infrastructure sec, you know, you can have a secure application. But if the platform that would host the application is not secure, that becomes null and void, right? So for the C-level executives, you need to be able to constantly bring to their consciousness visibility regarding the metrics of how you've been able to push your security initiative within the organization. And I'm sure that for anyone within application security, you would have been frustrated about the fact that you have to explain what is already objective, what is already a fact but is the role that you carries the responsibility that you have to do every day, for example, there was an initiative to deprecate something, a particular feature of our application that been deprecated, and took a bit of convincing, right, to say, oh, these are the five W's and how we'll do it. So what are we doing? Why are we doing it? When are we doing it? Where and then how are we going to do it? Those were the questions that I had to answer and put forward to everyone. Everyone had to work together with a colleague of mine to come up with, like a cartoon image, so as to sell that security initiative within the organization any worked to positive two, he had a positive effect on everyone at the end of the day. So, which was a win in my book, I will continue to apply that approach going forward.

Debbie Reynolds  10:17

Very cool. So what's happening in the world today? And you know, cyber technology, privacy even that concerns you most right now.

Abimbola Adegbite  10:29

So most of the time, it's the various ways are doing old tricks, right? Pouring in new wine into an old keg, you'd see various types of security vulnerabilities that had once existed or that once trended in the past. And you'll be wondering, oh, how did they do that? How did they come up with that? The answer is simple. While you are focused on securing your perimeter, securing your application as a whole. The malicious individuals have the time to work with, and that's where you don't have to your advantage, right? So yeah, constantly reworking, retrofitting malware, and just coming up with simple, easy ways to do things that were once thought to require a lot of skill. Another worrying trend? Well, not so much. Not so much worrying. But a big headache these days is malware as a service, right? Where anyone can pay a token and say, oh, this is what I want it to do. More recently, ransomware as a service, no, just malware service ransomware as a service, you know, people are empowered, they're also hoping to bring down organizations to their knees. Another one that is concerning is that there is no real regulation regarding ransomware payments. And it's really concerning because organizations are getting to that point where they're alone. I mean, you wonder, how do we get to a point where we are able to say, this is the standard rule, this is what we need to do. You know, you look out there, and you see, oh, this is what to do when you're struck by ransomware, but every organization has unique, they have certain uniqueness, that comes with their operations. And it becomes really frustrating, for lack of a better word, to not know what to do when such events do occur. And so state actors, they're really concerning as well. Because you don't know when you're caught in the crossfire of that kind of situation. So, I mean, so far, these are the ones that are really trending up in terms of application security as a whole.

Debbie Reynolds  13:12

And how do you find that the landscape is a lot more complicated? And I think, you know, I get frustrated, sometimes in media, I feel like cybersecurity may need like a PR campaign or something. Because in the media, first of all, you know, the word hacker is always a criminal in their mind, which is not true, right? That's not true. Also, you know, they have this thing about; they always do those pictures with the guy in a basement in a hoodie, who's doing stuff. And I never heard people at programs talk about insider threats, and they always talk about it, like it's some rogue employee. And we know that insider threat doesn't necessarily have to be nefarious, right? It just has to be a gap that people are looking at or a way that someone's doing something that creates a problem for organizations. Also, I think one other unique thing that I would love for you to talk about is the cloud. So, for some organizations, over the years, it's been pretty funny. So some organizations are like, okay, we're not going to ever go into the cloud, because, you know, we're, that's going to make us less secure. And so, I think the cloud is all about how you secure your data in a lot of ways and how you leverage that. So I think the problem that people have when they think about the cloud, who aren't accustomed to it or don't know anything about it is that you know, they have a responsibility so throw stuff in the cloud above it, relinquish your responsibility to protect data, and it's different. It's other than what you have to deal with just data that are on-premise. Can you talk about that a bit?

Abimbola Adegbite  15:15

Yeah. I mean, the cloud providers are very specific about the responsibility of the customers using their service. And they say the security of the data that you put there is your responsibility, and their role is to secure the cloud. And something really important that you mentioned is clarifying the notion that a hacker does not necessarily translate or hacking in itself does not translate into a malicious activity. We all hack, I mean, if you can take something if you can do DIY, and I think that in itself is hacking, right? I think the appropriate word to use is a malicious actor, a malicious threat actor. I know it's a mouthful. So people just resort to saying the bad guys. So there are multiple layers to the questions. That's the question that you posed. So I'm going to take it one at a time. So in, I think, not taking advantage of what the cloud, the benefits that the cloud provides, far outweighs you staying on-prem. Because say, for example, and God forbid, there was a natural disaster, and you needed to go to your data center to start up the service. Imagine the craziness wading through last week, there was a snow blizzard here in Toronto, and I could imagine at that point, people will have to go out to work. So imagine that kind of situation where you could not drive it was practically impossible to drive at that point. So being on the cloud would save, will save you as a company. Will save your resources, the time spent commuting, the advantages are numerous, right? And there's always a constant need to review your configuration when you do, indeed, take on using the cloud services, the bane of it, like you mentioned, insider threat, not necessarily someone who is shipping your data out; it's just that oversights in your configuration, the oversights in your setup. One simple setting, I found, for the most part, I realized that organizations that take on those kinds of services want to they want to replicate what they do on a day-to-day basis, which is not a bad thing, right? But in doing that, without adequate real review of the processes, you start to automate inefficiencies. And it's those inefficiencies that cause those gaps that leads to a bigger insider threat challenge. Another layer to it, you know, is being able to deliver what's called cutting-edge updates to your users. Taking advantage of cloud benefits, you're able to deploy quickly. And if there was an issue, you're able to quickly revert or fix that rather than waiting for a long period of time. So these days, it's good to have a backup. So companies usually would do a hybrid arrangement where you have on cloud and then on-prem and managing that is also in itself, managing the bridge between the cloud and on-premise also, in itself, some somewhat challenging. So it's pretty interesting. There's so many benefits, and I can go on and on about it.

Debbie Reynolds  19:16

When we're in it, using an app you're at, you're in the cloud regardless. So you can't not be in the cloud.

Abimbola Adegbite  19:22

The bigger problem will be running out of Internet rather than the cloud.

Debbie Reynolds  19:29

Right. Exactly. Absolutely. So tell me about this interplay of privacy and cybersecurity. So, I think because the privacy regulations have tightened up over the years, it has become more and more in the forefront in terms of an issue that probably wasn't one maybe many years ago, but we're definitely seeing those. But tell me how you interplay with privacy requirements that happen in your organization.

Abimbola Adegbite  20:09

Awesome. Thank you very much. I think the foundational competence is security awareness and compliance because it's one thing to have all the privacy rules. And then, if you're not playing your part in ensuring that compliance is attained, there are various privacy rules out there that are thrown around. Of course, the biggest one that we know is HIPAA. In Canada, there's the PIPEDA Act. I think that's getting renamed now to the Canadian Privacy Act. But all in all, the role of application security is to, as much as possible, ensure that you can, your Data Privacy and compliance team is partnered within ensuring that awareness is built on the correct assumption, and not just telling employees or you need to ensure that you are compliant, or your developers and ensuring that you automate compliance as much as possible. Because once you do it, if you do it once, or if you're able to achieve it once, then you would only be fine-tuning it and making it even more efficient in the long run, rather than going back every year. And which reminds me of a point. So whenever it's time to do audits, or have been in situations where in the past, no one cares about compliance or audit for 11 months of the year. And then, when it's compliance month, everyone is running around scampering. No, we didn't have this. Do you have this? Do you have this report? So in that kind of regard to application security and privacy, I believe strongly in compliance as code in a situation there. No one is running afoul or in violation of what you need to comply with. And the big part of that is employee training, employee awareness, and also communicating and communicating with your customers, your end-users and letting them know that, oh, this is a new thing that we're doing, or this is something that has been existing, but we're taking it seriously now, which is some organizations are doing it really well. But some not so much. It's like all we need to do is hide this and hide. And it goes back to your point where when you mentioned that application security, or cybersecurity as a whole, needs some form of PR, or rebranding, I would say that within the security team, what are you doing AppSec. Net sec or infrastructure, it has become imperative to have someone who specializes in communication, of course, communicating with the client. As much as he knows, he might be painful revealing certain truths they are not comfortable with; it has its benefits because at that point, you're disclosing, and you're letting them know, or maybe we're not doing this really well. But we've decided that this is the path to follow. And we've chosen to do it well. And you would see that customers gravitate more to that type of situation, you know, having applications letting you know, oh, before we had oversight at this point, but right now, we are taking it seriously because of your privacy. Oh, they really care about me. And I put myself in such a customer's shoes and well thought out. A well-thought-out communication strategy is one of those things that is required with regard to privacy and application security. Because yes, you are selling a product, but the passion for the people is what drives you in designing our product or should be what drives you in designing our product in the first place. And when you talk about privacy, you think about people and your rights to data that they have or own, so I think that's my own take.

Debbie Reynolds  24:34

Right? I like to tell companies that you know, and as simple as a statement is, I still get people that are shocked when I say this; it's like we collect data of individuals. It doesn't belong to you; it belongs to the individual. You're like a steward of that data, and you're like, what, I found it belongs to me because I have it in my possession? I know it's not yours. So you know, If you gave you borrowed something from a friend, you probably take care of it differently than if it was your own thing, right? You have a responsibility to that other person. So you think about data, or think about privacy in our way, and also to help change your perspective or everything. Also, something you mentioned, I want to talk a bit about when we're talking about privacy and compliance. You know, some companies feel like, okay, we have a Data Privacy officer, we have these policies and procedures in place, but then they don't, they can't really translate that two kinds of operations, basically. And so I tell companies, even if they have pauses, I'll review them. I'm like, do you actually do this? Do you delete your data every 60 days? Or somewhere? Even you're like, No, I'm like, don't say that. You know policies should mirror what you actually do in the business. So you're not going to be you'll be in a bad position, right? With regulators with people, you say, okay, we do these 10 things, and then we look at the operation, and he can't prove that you've done any of those things. And that's problematic. What are your thoughts?

Abimbola Adegbite  26:23

Again, I cast my mind back to when I said, organizations don't care about it for 11 months of the year, and then when it's that one month to start to be proper in front of the regulators, and everyone starts to remember, oh, did we do this? Do we have a report for when when we did HIPAA training or data training? Or where's our data retention policy? Oh, we're supposed to delete every seven months or so, depending on what must have been written in the policy, you know? And I feel like, no, I strongly believe that your policies should reflect your values as a company if you're unable to do it. And like you mentioned, operationalize your standards, policies, and guidelines. I believe that that's where resources should be concentrated to us. There is no point in taking those policies and standards are not useful if you presented to the C-level executives, and they put their stamp of approval on it, but there is no follow up. Or there is no visibility into the implementation of such policies or the usage of such policies; then something needs to change, right? Either you find a way to automate it. And you find a way to operationalize the usage of those activities, or you find someone, or you even contract it outright, or you find a tool that can help you do that. Because more organizations are getting into unnecessary risk and trouble editing or copying. Most of the time, templates are used, and then the change verbiage is adapted to suites what their current situation is. But after that, no one goes back to look at it. An interesting one is like a business continuity plan where you have a business continuity plan, but you've never done a fire drill. You've never gone through any of that. And you were wondering, okay, so what do we do when we get into trouble? It's the same thing with privacy. Where another trend I realized these days was that Data Privacy and compliance is the legal team of the organization that are usually blind to setting policies that have a far-reaching effect on the day-to-day activities of the organization. So it's a big situation that needs resolution immediately, right? All the forms of security need to come together. Statute they need to start working together in conjunction with legal because you can put out what is called a policy or a standard, you're going to be held liable for such situation. So the legal team also needs to start to play pants oil. Maybe it depends on the organization, but maybe it's a situation where APSET, Cloudtech Netsafe, Data Privacy, and compliance needs to now bring or call the attention of the legal team within the organization. And if any organization doesn't have a legal team, per se, they can outsource that responsibility. And bringing in consultants would come in from time to time. But it's really important to not just copy or adapt a template.  It's also important to ensure that the company values are reflected in those policies and guidelines and stick to them.

Debbie Reynolds  30:33

Yeah, I agree with that. Wow, it's really deep thoughts here. I love what you say about having these teams work together. So the way it was before, can't be like this now, right with privacy and security can't be like Santas workshop where everybody does their little part, and they don't know, the other thing is doing and then magically, everything comes together at the end, that just doesn't work. So being able to have that open channel of communication back and forth is funny because a lot of times, I'll talk to the legal folks, and they'll tell me, you know, this is what we're doing. Whenever I do not talk to the AP security or the cyber people, the data people say, and I asked them, it's totally different. So my, hey, you know, they say, oh, yeah, we're doing this, and I asked us, are we doing this? Like, no, we have to piece that story together. You can't be aspirational. Your policy should be operational, not aspirational. So you said, you're like, get out, okay, we're going to do these lofty things, like you're not actually doing, and you definitely need to, you know, have that correct. But I love the point that you make about having someone do something in an area that has a far-reaching impact. And so you can't know that if you are collaborating with these teams. Right. So I give an example, there was a case that came up, and I'll probably talk about it. I have a guest coming on the show to talk about this. But there was a big company, a big financial company in the US that had an issue with kind of data disposal, where they had like, old servers or some hard drives with data. The people who are in charge of making sure the stuff gets disposed of chose a vendor that was not really up to snuff, but the vendor was cheaper than someone else, basically. Right. So this hurt these companies; they dispose of it in not a good way, though those devices had data on them, and that data got handed to someone else. So it became like a data breach. And it's like, the cog, the part of the organization that was kind of looking at, like this task, like hiring this vendor or whatever. They didn't really know that for them, they're like, okay, we save the company $100,000, but having those drives go out and not handling them the way this should have cost them like $60 million. So I think your point is well made about understanding you need more of a strategy, you need someone to look at it at a higher level, you can't just be I do my part. You do your part; it has these, especially as a relates to data of individuals, you know, these things do and can have kind of far-ranging impacts.

Abimbola Adegbite  33:50

I like to do that. I realize, again, this is my own thought. The challenge that I have seen is many take policies, many organizations take policies and guidelines, like they are plans, right, but they're not plans and should not be treated like a plan. Policies and guidelines, and standards should be treated or should be viewed from the point of the lens of the legal team within the organization. Again, since most of the 85% of the breaches reported involve some form of human error, throwing more money at the problem by buying the latest cybersecurity tool. At its core, it just shows that cybersecurity is not just a technical problem; it's mostly a human problem. And the AI has gotten to that point where you cannot be blind to how many other domains in cybersecurity and cyber security's white book are about risk. Yeah, fun fact, application security is also a form of risk management. So every day, I realized that in selling application security, you have to push in application security initiatives, you have to approach it from the point of view that this is the long game, we have to keep doing this. Because, again, most things related to application security are objectives, they are facts, but in selling that to nontechnical stakeholders, you need to be able to come up with stories and say, oh, this is the user story. This is the why, and this is the need. Privacy really goes hand in hand with application security these days.

Debbie Reynolds  36:00

I love what you're saying about stories. So this is one reason why I really love talking to people who work at consumer-facing organizations that are totally top-notch; you understand, you know, you're an executive, right? You have to be able to tell a story. You have to be able to talk to people in different areas of your organization communicate the value, so it can't be just like, oh, I worked really hard. You know, that's not a good story.

Abimbola Adegbite  36:32

I mean, I've come to realize that the hard way, like I've had happy moments where this is objective, it is what it is this, this call it a sunny day today, you know, but imagine trying to explain it's a sunny day, the sun is out, shining, but when dealing with customers, who are nontechnical, not necessarily understand the technicalities of what you just mentioned, a story is a good way to communicate the need. And one thing that we do within Jane is the first question, why? Why are we doing this, you know, and once you are able to ask yourself that before approaching people, you would know how to present it. Again, communication is also fine art. So you need to grow in the art of telling stories and then presenting them in a way that is nonrefutable. You know, people would always come back with questions. But if you think about those questions ahead of time, and you realize that organizations need more than technology, there's a need for employees to be both the first and last line of defense. And in thinking about that, and saying, okay, I am the employee here helping make this product better. But I think of myself, as the customer was using this, what will be the delight in me, using this particular feature that has just been rolled out? And once I'm able to answer that question, then I can go ahead and approach the nontechnical stakeholders with the value.

Debbie Reynolds  38:21

Right, right. So so, if it were the world according to Abimbola, and we did everything that you said, what would be your wish for privacy anywhere in the world? Regulation, corporate, the way people work incorporating the privacy, security teams, anything, technology, people stuff?

Abimbola Adegbite  38:49

In my ideal world, I would; this is my opinion. You should get paid for companies using your data. I mean, data as a service is how I think about it, were using my data, no problem, that data is enriching your pocket. By the same time, I should get customers paid for using those kinds of services that are cash cow rates, some form of reward; I can, I can keep going there. And behind me using cookies to track my life, like some form of law enforcement agency. You know, it's really fascinating the things that the Internet knows about you, right, without your knowledge. And it's only recently that all of this is coming to light. So in view of that, and retrospectively, there needs to be some form of a rewards program. Some companies are doing it one way or the other, and they are using their application, And then you get rewarded for that. But it needs to still; it needs to be the norm, it needs to be what everyone does, where you take my data, you pay me for it, it might not be monetary, it might be that I get credits for using your service, rather than, oh, I get discounts using yourself, I think that would be ideal, because right now, it's a love-hate relationship, right? You can't do without certain services these days in terms of productivity, in terms of connecting at a social level. But in my ideal world, it would become imperative. And it will be the rule that we get rewarded in exchange for the data that we put out there.

Debbie Reynolds  40:52

Wow, that's a really good answer. Yeah, that's such a hot topic, issue, hot button issue, because some people feel like, well, my data shouldn't be sold. It's like a fundamental right for privacy. But the data is sold. So it's like the horse has left that barn many, many moons ago. Right? I think, you know, there is money being made there. And you're right, you know, there are a lot of cases coming up, there's this, adding more transparency to kind of that underlayer of Internet of how the data, what's collected about people? How is it collected, how is it monetized, and that whole industry is now coming to light more, especially as you know, so one part is the monetization of it? And then the other part, I mean, monetization, of course, but I think the companies that create like risk profiles based on this data, you know, they're going to have a very uncomfortable time in the future because they don't really want to be transparent about the fact that they want you to get denied insurance because you search for chronic illness, you know, two times a month or something like that, you know, so, yes, it's a very interesting time. And I think, you know, I agree with you that there should be some way to make it transparent for people what their data is worth, and then let them choose how they want to monetize from it. Cool. Thank you so much. This has been great to have you on the show. You know, I love talking to people on camera. You guys are such cool heads, smart about it. Congratulations on your great work at Jane, and I'm sure we'll be able to chat soon.

Abimbola Adegbite  42:46

Yes, I may have to reach out to you as well in the coming days. I also volunteer on the board of the Toronto chapter of IC Squared as Director of Academic Partnerships. So from every month, we do have a talk. So I would love to have you on this.

Debbie Reynolds  43:11

So sweet. Thank you so much. Yeah, we definitely have the chat about that. That would be fun. Awesome. Well, thank you so much. And I'm sure we'll talk soon.