‹ All episodes

"The Data Diva" Talks Privacy Podcast

The Data Diva E46 - Alexandre Blanc and Debbie Reynolds

September 21, 2021 Debbie Reynolds Season 1 Episode 46
"The Data Diva" Talks Privacy Podcast
The Data Diva E46 - Alexandre Blanc and Debbie Reynolds
Info
"The Data Diva" Talks Privacy Podcast
The Data Diva E46 - Alexandre Blanc and Debbie Reynolds
Sep 21, 2021 Season 1 Episode 46
Debbie Reynolds

Debbie Reynolds “The Data Diva” talks to Alexandre Blanc. A LinkedIn “Top Voice”, Top 20 Cyber Risk Communicator of 2019 and 2020, and CISO of VARS Corporation. We discuss passion and journey into Cybersecurity, the need for public relations campaigns to educate about Cybersecurity,, the misunderstanding and cyber risks of using the Cloud, How Data Privacy and Cybersecurity connect, the need to tie data uses to legitimate transparent purposes and reduce cyber risks, and his wish for Data Privacy in the future.

Support the show

Share
Apple Podcasts Spotify Amazon Music Podcast Index Overcast YouTube +
Show Notes Transcript

Debbie Reynolds “The Data Diva” talks to Alexandre Blanc. A LinkedIn “Top Voice”, Top 20 Cyber Risk Communicator of 2019 and 2020, and CISO of VARS Corporation. We discuss passion and journey into Cybersecurity, the need for public relations campaigns to educate about Cybersecurity,, the misunderstanding and cyber risks of using the Cloud, How Data Privacy and Cybersecurity connect, the need to tie data uses to legitimate transparent purposes and reduce cyber risks, and his wish for Data Privacy in the future.

Support the show

48:17
SUMMARY KEYWORDS
data, people, Cloud, cyber, organization, business, risk, privacy, protect, governance, technical, impact, security, speaking, side, access, cyber incident, Cybersecurity, operation, data protection
SPEAKERS
Alexandre Blanc, Debbie Reynolds

Debbie Reynolds  00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, this is Debbie Reynolds. And this is "The Data Diva Talks" Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. So I have a special guest on the show. I've been a great fan of his for many, many years. And recently, I think over the last few months, we actually had a chance to do some collaboration together. And it was really fun. And I don't know why we hadn't thought about them doing it before. We have such mutual admiration for each other. So Alexander Blanc is a CISO, from VARS Corpation. He's also one of LinkedIn's top voices. Also, I share the honor with Alexander. He's been on there for more than like, you think, a bit longer for two years. So last year, I was also named one of the top 20 Global Cyber Risk Communicators. So yeah, I can't be like you, Alexander. But I'm trying to get there. So welcome to the show. And I would love for you to tell us a bit about kind of yourself and your background, your passion for Cybersecurity.

Alexandre Blanc  01:28
I am happy to join you again. And that's my pleasure. And you know what, when you say that you follow me for a while, I feel like I followed for you for a while as well. So that's funny. That makes sense. Because we are very aligned on the privacy in the data protection side of things. And very active in the field. I mean, it takes people like us to spread the word and explain the situation to anybody else. Because you have something that is obvious for us, it's not obvious for everybody. And also mean we see the power of data because we're also in the field on my side. I mean, I'm in incident response, and you know, dark web investigation and stuff. And when you find all these data laying around, and you realize what you can do with that, either, you know, abuse with it, or use the data for more attacks or, you know, purge data. And then you realize that people don't see that, and they must be aware. So I'm happy we get to discuss all of that I, dive straight into the topic. But that's it. And then we were speaking a little bit about the background. That was the question. So my background. I've been in it since the end of the 90s. Just right after university, I was already in the IT service admin group at university. And also then, you know, straight in the IT world, before Cybersecurity was something and before Cloud was called Cloud, we are you know, we were renting servers and IPS online on the Internet. It was called dedicated hosting and stuff like that, then it grew. And we were used to protect these. And so basically doing that for like 20 plus years. And that's a scary, scary timeframe when you think about it. So we grew with it. I grew up with it. And I moved around the world a little bit as well. So so many things, I mean, use case and protecting the many, many organization and infrastructure, both from the private sector a bit from the military, and the rest tied to the private sector. I've never been in the military myself. I work kind of a lot with them for some unknown reason. But yeah, so that's the two, well I'm kind of aware too. And yeah, that's what me and today I'm in Canada for a bit more than ten years now—and working a lot on the privacy and Cybersecurity awareness side of things. Because as you know very well, leaks breaches, and data grew at a crazy pace, and we barely follow or even catch up on the security and data protection side of things. So that's where we stand today.

Debbie Reynolds  04:16
Yeah, that's a good overview. Excellent, excellent. I would like to talk about, and this is something I feel like you do really well, and we need more on so in a way I feel like Cybersecurity needs kind of public relations revival of some sort of, you know, because in my view, and I've had CISO's tell me in the past that they felt like they were doing their job, they should be invisible. And I don't really agree with that because I feel like cyber is so entrenched in organizations, right? So when I think about organizations when they were building themselves, or people do a business like 30 years ago, you know, technology was kind of a nice to have. So they could do their jobs without technology, right. But then there were tools that were being created, this sort of created more opportunities for people, as it may start business processes easier. But now I feel like we're in a situation where so many companies really can't operate without the technology. So what hasn't happened, in my view, to this point is that people with kind of your skills haven't risen in terms of visibility in organizations in the way that they should. So the fact that you're doing a lot of this, this advocacy on LinkedIn is really important. And I think you're sort of leading the way to, you know, why it's important that people in cyber be visible, right. So you're an educator, you know, you're someone who practices practitioner in the field, you're seeing a lot of these threats, and you're helping to educate us not only about what's happening right now but then what people can do in the future, what are your thoughts about that, like about cyber being visible versus invisible?

Alexandre Blanc  06:18
That's a good point. And, and this is true that more often than fewer people that are deeply technical, are not very, you know, business-oriented, or, you know, very extroverted people. And I'm lucky on that side because I like to explain stuff, and I'm gonna have a good communicator. And I've been also deeply on the technical side. So it's a good opportunity, and then what we see and you said it, right, you know, technology, when it came, was a tool. But nowadays, it's everything, even in your personal life, if you do not have access to technology, you can't do anything, you know, like paying your invoice or even just ending your life. So we absolutely rely on technology right now. And next step is protecting the technology. And people, first, before protecting the tech, should be aware of the threat and its impact. And we realize when we speak to businesses that they don't realize the impact. And you know, there is that thing like the quantifiable way and qualitative approach to explaining the threat. So usually, the quantitative approach is, you know, the impact in quantities, but also in value in money and impact. And that's more for the finance side of things that try to bring meaning to an incident to the decision-maker on the finance side. And the qualitative impact is more usually technical, but it has to be tied to business impact. So this is something we tried to connect and try to explain the value proposition of ending the security posture. I actually wrote an article recently, which is on the website, that I shared on fcgt.com. It's about the value proposition of doing an IT security audit. And the fun fact is that most organizations realize that they don't know why would they do that. You know, they think that everything is working. And people in the operation field, when you ask them, or even if you push, we know that on to them, they will feel like they are being judged or it's a betrayal from the management, as your loss of trust. Because if you ask for an audit, it means that you don't trust what they do. And I've been there, you know, one of the jobs it starts, I joined as an IT director in one of the jobs, and I don't know, was there for like a month. And then the CEO came to me and say, oh, by the way, I did sign for there was an action server configuration and security audit from a third-party provider. There we come and check what's happening there. And when I first got the information and was like, hey, why the hell are they're sending someone else checking my job, you know, it was weird, but I just started on the, later on, I realized that that was to help me get a bit better picture of the situation and use some lever, use some lever, weave the team around to spot what was actually not well done, or what was missing. You know, it was more than that. But the thing as a human being, it's like, huh, you're gonna check on me, you know. So when you speak about auditing, the efficiency of Cybersecurity posture, whatever, easily it may lead to some friction. While it should not because when you bring a specialist or just another pair of eyes on your situation, review the workflow organized and the maturity level on the security side of things. It's a great opportunity for the teams to actually ask for more resources because it's going to highlight the challenge they face to the management. Why if they say themselves, oh, I like resources, and they want to know management. They want to keep you know; why do you like a source know where? Where are you spending your time? This is something I faced at work as well. And I'm not a big BI fan because I'm a more natural leader and take me on the technical side like to manage the stuff. So once I was out of resources, and I say I need more people, and they say, oh, why do you need more people? Where do you spend your time? And when they asked you to start to analyze the performance of how we do things, I felt like it's a betrayal of trust. Because if you ask me where I spend my time, it shows that you don't trust what I'm doing. But it was not that at all. It was just, you know, knowing what's the process efficient? And, and can we do better? And where can we help? So that was the whole thing. And so that's something that we need to bring today because we see the same on the Cybersecurity side of things. So we should see that as a lever, meaning for existing teams, to lever more resources and to ask for more resources to help them on their security journey. I think it's clear.

Debbie Reynolds  11:14
I love it if you're bringing up these points, because these days come up a lot in day-to-day operations, right, and sort of people in your job. So I'm glad you're talking about those types of things. I love to talk a bit about just sort of the juxtaposition of kind of businesses and the way that they operate whatever it is they do, right, and then how cyber sort of rolls into that. And so I think, to me, there, I feel like there's a disconnect in a lot of ways, where a lot of times of business, whatever the business is, you know, let's say it's a restaurant, so business, the restaurant, you know, their jobs to make food and you know, to have customers and stuff like that. And they and maybe the cyber part of the technical part, they don't think about it as long as things are operating, right. So there, you know, their focus is kind of that, you know, we're going to, you know, we're going to run this restaurant, we're going to make customers, we're going to get customers and make a lot of money, or whatever. But a lot of times, to me, a lot of customers, not customers, a lot of businesses only think about cyber in a reactive way. So I think it to me, it's more of kind of a business mindset, where are you thinking, I don't have to deal with this, because it's not a problem. So I'll deal with it when it is a problem. But the problem with that posture is that, you know, having a cyber incident, depending on the severity, can put you out of business, but then your restaurant will close, right? So how do we get businesses to start thinking more proactively about cyber and not thinking about it? Like they're calling the fire department?

Alexandre Blanc  13:09
Yeah, I was about to jump on the fireside of things, you know, after all, we need to bring a threat modeling, which is using the super threat to Cybersecurity, but they do that already. They do have a threat model like robbery, fire, and they have insurance, you know, for their staff for the business continuity from an operation a for a performance loss and financial insurance. But they don't see the tool from it that took over the operation. As you say, right now we depend a lot on that like and even more lately, especially with the COVID with all the takeout and other stuff, it's all every it's usually relying more and more on it. And if you lose that stuff, it's kind of as bad as having a fire or, or robbery in the end. And also, it could be cyber robbery when you have a cyber incident. After all, it's exactly the same thing. And then you know, you have the trust to the brand with customers. And if you if the customer get their credit card stolen at your restaurant, and it's going to be, they will never come back on that side of things. So that's one of the challenges, and to explain that back to the strength modeling side of things. We need to translate the risk and the potential impact on the business. And also bring number, but that's something that's quite challenging because you know, we all like I work in MSSP managed security solution. And one of the things we do you approach in the communications that we show you all the numbers like cyber NC doesn't cost that much a year. And each cyber incident is that amount of money on the business as an impact. It's like, you know, fear-mongering stuff, and sometimes I'm blamed for doing like some fad like, you know, fear, uncertainty, and doubt on LinkedIn. Why do it, like it's passe. So, yes, you know, we are as humans react over fear, why do we take insurance you know, for to protect the business and the package, you know what kind of package, it's because of fear if the likelihood of a fire is pretty high because that's always on that you do a lot of all thing and you know, there is a big risk of fire. So you will protect yourself against that you will put mitigation and compensation measures to the risk. So now, the scope, though, as we call it in the cyber world, the attacks, your first side of things, is growing to the extent of it. So we must integrate that stuff into the equation. So you cannot operate your business without protecting it as you will operate the building and the people as well. So that's the message that we try to explain. So on my side, on LinkedIn, I do share a lot about the incident that we see. And they actually are very great learning lists on the case each time there is an incident. We should focus on understanding how that did happen. What was the impact? And how could have it been prevented? And on our side as a business, it's more like, Am I protected against that specific case? Can I be impacted, you know, the threat modeling thing? Okay, there was a vulnerability, there was a threat, he did hit them. So do I have that same vulnerability? And did a place compensation measure against this? Like insurance, cyber insurance, but then the impact is also, you know, more about how long can I take your operation? You know, if we speak about the after your recovery time objective, that's very cyber again, but after all, it's we have to translate that to business, you know, restaurant, how long can you remain closed? Before you lose your business?

Debbie Reynolds  16:53
A lot. You talk a lot about the Cloud, right? Oh, yes. Wow. And it's all you have to think about Cloud, the Cloud. I remember, you know, not data myself. But I remember before the Internet before stuff. Everything was connected to the Internet. Like when people will buy servers or do implementations, you have to choose, right? Whether you want to connect it to the Internet. wanted it. So now it seems like almost everything is thrown on the Internet for someone who has Internet connectivity. And I don't think that's always necessary, right. But talk to me a little bit about sort of the Cloud and sort of the way that people misunderstand the Cloud or how they get in trouble. When they're trying the Cloud. I feel like the advertising, right? About Cloud is brilliant, right? So it makes it seem really innocent. You know, clouds are fluffy and nice. Do you know what I mean? So, and, you know, simple, almost the impression that they don't have to do stuff like they don't have something is in the Cloud, there's a responsibility that they don't have to do. What are your thoughts?

Alexandre Blanc  18:09
Yes, so, so that's if you read so many points from the shared responsibility model to its easy, cheap, cheap, and easy and always connected. So first thing simple. When we were in the server era, and you on your stack, and you wanted to publish, let's say anything on like a web site, you did need to take action for that you had to, you know, to open a port on your firewall, know which port to route that traffic to the proper server, make it available online. So you need to work to understand how to get that connection and then make it work. So that's a lot of work that was slow and painful. But this is how you know, you are faster to your data flows and stuff with the Cloud. And you said it will anything you subscribe to there is already online. So that's a huge difference. And a huge step on the future side of things where people use to everything disconnected by default in the Cloud. It's all connected by default by depends on the Cloud provider. So my VM, you know that that Internet routing by default, some don't have and it depends on what kind of service randomly you take, you know, AWS is different than is your. So default settings. But overall, when people go to Cloud, they want to be online, that is for sure. So what happened here is they also think, and that's the marketing side of thing you spoke about. Marketing sold them. It's easy, it's safe, it's cheap, and it's secured. Because they are the king of the data centers. They have the, they are the king of the POE poor efficiency because they have a great density and everything is available all the time. So you will think that that responsibility is on them and you just have to care about what you pay for. Like if you know, if you take a WordPress site and you just think about the article you put inside that stuff. So they have these views, like more kind of the SAS model. But that's the model, consisting of many, many different steps. And the deeper you go into the service system of tweakable, you want the amount of responsibility you take. So that's one challenging thing. So you know, they moved to the Cloud, and they fought home, we're gonna need less it and excuses to manage that stuff, because it's all outside. But that's wrong. You just made something physical to something virtual. Not only that, but you also change the whole world, you are the local insulated network by default, and you're on the public network. By default, I assume we speak about the public Cloud. Because if you take a private Cloud, which can be an option, you basically rent the stack, you have the flexibility of the Cloud, but this is your stuff, and you still need to manage the connection. Right? So public Cloud, this is where like, every issue must have the issue happen. On the data leaking data protection, that there is that thing. So that's one side of the things. And when people get there, also, the environment of the Cloud is changing quite fast. They get new features, new option configuration, and changes. So what you learned, if you did learn, is changing on a regular basis. So that's a challenge for the organization. I don't know if I mean, you must remember that you've been working in an organization or I've been working for an organization where getting training was a challenge. If you want to subscribe to an online course, or if you want to go for a certification, then it's quite challenging to get it because they don't want to pay for training. But in the Cloud is even worse. You need constant training, constant learning because that thing is changing all the time. The best practices are changing as well. And Cloud is doing its job. They enhance chance, bring a better offer, the restaurant, that the nephew that was doing the IT is going to be the same people, they're going to ask to put the website online, and they're going to go Cloud. So who is going to do the Cloud? That's going to be in a few, and no, if you go in a bigger organization, SMBs, you get UI that when it goes something that's the accounting guide that goes through it as well. And as you grow, you get more and more dedicated people to this stuff. But in the end, you don't have a project manager, you have coordination. And the Cloud itself is a full project. So what would work locally, you know, you have some service stacked, and you could take backups, and you're good to go. Because it was working, you had the backup That was good. You don't need to follow my process for my documentation when it moves to the Cloud. That's another story. It's full project management. So you need a project manager or someone technical with a project management mindset that will document that will maintain, and we communicate all the implementation. So as anyone else involved can work with it. And then you get these SMB's because they're, I mean, well, I was about to say they are the biggest amount of impacted company by server incident. But we saw so many big companies as well, I mean, even T-Mobile, that get that breach, and that was a kind of a fun one technical incident because it was just a basic step that was forgotten. So that's another story, you know, when the team grows so much that we lose control and visibility on the stack. And we end up forgetting this operation that was like either temporarily or Polish secure was a test, a test site. So So what we see, and it's its actually converging route, is that we need proper governance. We need actually a formal management process. It has been quite a nice ride in the 90s in 2000, even 2010. But now we see that given the threat landscape, given the evolution of all the leaks, the breach, the abuse, and the threat actors that go extremely smart and fast. selectors, scary people are very smart. They learn fast, and they do adopt technology extremely fast. So basically, they are faster than us. And they are more efficient than us. So there is no alternative to becoming more formal. Getting your stuff in order having your proper inventory. That's not unique. These were best practices back then in it, but if you will not do it, it could still work today, with clouding. If you don't do it right. It's not gonna take long for you to get pound because of a single misconfiguration which is I don't know the number, but like more than 70% of the data leak or misconfiguration open bucket open blobs And that's because of lack of governance, and his lack of time resource and prioritization. So we were speaking at the beginning about speaking to the board, speaking to the management, and asking for resources. They should know that if you go Cloud, you're going to need more than that. You're going to need skills. And you're going to need new tools because today exists, you know, there are some amazing tools that you run on your AWS or as your, and they will pinpoint all the misconfiguration that we run, you connect that stuff to your Cloud, I think one is called a weasel something, and you connect them to your Cloud, it's gonna say, Oh, you are fully open access, and that resource, that resource is also not protected, and you don't have any governance on that side of things. So if you run these tools, it's going to help you fix the issues. So the solution, a technical solution exists. Now, privacy, and I speak alone. I don't know if you want to say anything.

Debbie Reynolds  25:59
Oh, my goodness. Ah, yeah, I would love to get on privacy. But let's talk a little bit about the kind of data, right? So in my mind, the way business people often think about Cybersecurity is like a castle, right? So we need someone to guard the gates, or we need thicker walls, or taller walls, to keep people out. But really, there appears to happen inside castles, that can be a problem. So for me, I always say, you know, how can you minimize your risk because you can't always keep the intruder out of the gate? And a lot of times, the problem is inside the castle already. So how do you turn this kind of idea about protecting the gate? So the gate is important, right? But how do you minimize the risk by looking at protects them at a data level?

Alexandre Blanc  26:50
So there is no more castle, there are no more gates, there are many gates if you look at it, but the data is still there. And the data is spreading. You know, we say the perimeter is gone. But the thing is, that's right, what we used to see as a castle protecting the assets in a restricted area like you lock your building, or you have a server room and stuff like that. That's no longer the case. Because data is moving around. Could be everybody moved out, work from home with data, you have it on the laptop, you have that moving everywhere. So there is a new parameter, which is the data itself. And to protect the data. First of all, we know we must know what we have. So we fall back on the inventory of the data. And then we need the help of the fancy will, DLP data leak protection? Well, good news, people, DLP won't work if you do not have data classification. And you do not have that data classification if you do not classify it yourself. And classifying data is extremely painful. Right? Know what yeah, I know what you have. And for every amount of data type of data you have, you must target and classify it as a certain category. It doesn't have to be too granular. I mean, you can go that folder is a chart that's going to be sensitive HR information. But thinking about folders is also an old view. When we had the NAS, and you had a shared folder, and each people had the right to access this stuff. Now we have Google Drive. We have OneDrive. We have people use Dropbox and all that stuff. And data is sync on many laptops. And the restriction is much more tricky. So when you go on the Cloud side, and you want to protect the data, oh boy, you need an army of technical solutions to help you in that if you want to have visibility, where the data is going, who is accessing it. So you need audit trails. And you also need to be able to know when the data is sent out. Like we saw that there was in the news in Quebec, in Canada, one of the banks, one of the employees stole the customer information like millions of customers and sold it to a broker of something. So even though they caught it but that was kind of too late. And if you think about that, they actually saw it, and I don't think any organization, especially in the SMB market, has the actual capability to know if someone stole the data. I'm not speaking about ransomware or just deletion or whatever. There are some of your employees, take a USB drive and copy all your provider information. Would you know it? Most likely not. This is where DLP governance and data classification kicks in. Now, because we can go deep and that even if you have the governance and you have all your data classified and everything, you have visibility, the threat actor knows that They're going to steal your credential. And they are going to impersonate an employee and access to stuff. They are supposed to access this entity, CEO, and impersonation when they try to access information as a user as an employee. And that the system cannot make a difference between what's your real user and what's a fake user if I steal your credential. So people now come with zero trust, amazing concept, zero trust in what it means should be seen more like a framework and guidance to implement more security control than an actual piece of technology solution. When you put your data assets on the Cloud, it's not only you. You take the decision for whoever the data information belongs to. This is where we reach privacy, you, as a company, have customers partners, and you have their data, and you decide to put that in the Cloud. So you take a risk of acceptance on behalf of these people. And these people have expectations is what GDPR tries to fix. This is where it becomes tricky. Because I don't want anyone to decide on my behalf if my data is worth being protected or not. And right now, the market is at that stage. You give away your data. And the data controller, the one who actually did the operation, the company that has this data, can decide what they do with it. They can decide if they can if they want to sell it. So this is where legislation, laws, data protection, those come into place. They are supposed to restrict that kind of access, either. I mean, we see Facebook behavior, and we can see that there are many ways to work around the law. And then, and then you get the compliance requirements that put the organization supposedly responsible for the data management. And we bounce back to the shared responsibility model of the Cloud. And, you know, if you have the thing on-prem, it's all on you. You also have your environment, your data, it's there, your issue one of your employees, see the data, it shows an organization or responsible cloud side, you have all these parameters, plus the cloud provider and the shared responsibility model that is well defined and well documented. But it becomes complex when your data and move across SAS to where I am as a foster care service where you are supposed to be responsible for the server and the system. And then, you move back to SAS, where you own the responsibility of configuring the SAS security option. And all these things are extremely complex to manage. And this is why today, it's very blurry. And organizations don't even know exactly when, but intent. They just tried to operate in that dynamic environment in the Cloud, where there is no real ability for a cloud customer. to respect the governance and the data protection.

Debbie Reynolds  33:25
I think the thing that privacy is doing, hopefully, that I think will improve, you know, what I see in terms of companies keeping to less data or, you know, stockpiling data or putting things at background or throwing stuff in the Cloud to me is you know, a lot of these laws have had stipulations about tying data to purpose. So once the purpose has ended, right, data should be deleted or removed or returned to the individual. And that's something that we didn't have in the past. So I feel like right now we're in a situation where companies who ignore that data that didn't have any reason, or having good reason to delete stuff, just kept up all along. Now we're seeing with a lot of these data breaches and stuff, a lot of them that come up, a lot of them are from legacy data. So this is the stuff that was mine didn't have like a high business purpose at the moment, right. And many have been put on a system that wasn't as secure or, you know, not a high top priority of the company at the moment, but then became like a huge risk at the end. What are your thoughts?

Alexandre Blanc  34:43
Yeah, this is true. And in the end, that comes from it and the legacy side of things where we had to protect data and preserve an archive. You know, the first challenge was tape archival, where you need to keep track, and that comes from the accounting where we need to keep track for the transaction to prove the good behavior for like many years back, so we applied the same policies and storage to data, which was not a big deal. And we didn't have regulations because it was not connected to the Internet. So basically, the value in that data market was not that big before. And that culture had to shift. But as you said, well, if you remove this data from this system, they will stop working. Because a lot of the systems, the legacy system are not supported anymore on the developed anymore. And yet, a lot of them still power critical infrastructure and critical systems. So there is a very big challenge. And also, the threat landscape and the threat model totally evolve quickly since then. So when we see and we bet on that same thing, it is because it's the same thing for IoT, and IoT unit, and industrial control systems. They were designed to all the system with safety measures, like people protection people safety for under the years. But they were not designed to be connected. So now we connect that everything Same thing with the legacy systems, and we cannot modify them because they actually support critical operation. So this is not something we cannot stop the water, power grid. And this stuff on which we build the stack, but much that we meet Internet on TCP IP, which is unsafe by design. Same as the email, we patch and try to bend it, everything like that. But it's extremely challenging because the shift is slow. It's funny because technology and Cloud are evolving so fast. But the change management on the critical infrastructure is extremely slow. So we cannot comply with previous systems. So what do you know about that technical solution? Again, we don't like to have technical solutions to things zero the past. You can have micro-segmentation on the network and blind all these data on the legacy system. But the issue is the need and the operation need, where they want to access remotely to what was on the local before, and that's going to change in the workforce is moving, we want to work remote. So we need access. I mean, the rush of changing same as the rush of digital transformation. We forget the security by design. And when I say security, I think about the CIA, not the agency, which is confidentiality, integrity, availability. We focus on availability, a bit less on integrity, and not at all on confidentiality.

Debbie Reynolds  37:49
What kind of a sort of what I call low tech or no tech-wise, that you can give to companies, just some basic stuff that you feel like so I'm sure you watch these, you know, ransomware cyber-attack things really closely. And I do too because I want to know sort of how it happened, right? And a lot of times, it is basic stuff that happens, right? So someone posted their password on their computer, and they have high access stuff. So you know what, some basic Low, low tech, and low tech things that companies can think about.

Alexandre Blanc  38:29
You know, on a normal day, I would say put multi-factor authentication of password managers spread that stuff and don't connect with don't need to be connected. But I've been on incident response, you know, people victim of this stuff. And you give advice on how to fix it. And this is simple. You just have to set that stuff, and we explain how to do it. But yet, they don't do it. So today, like just today, before we start this week, I was very desperate. Because I was wondering what is going to trigger the change? What is going to trigger the care, you know, the responsibility, accountability? How can we bring that back? That's my question today. Because we don't have a technical challenge. We know how to do it. We can do it. What's more, oh, will they hold do it? Because people don't seem to care. So I came to think like, the impact is not yet strong enough for a change to happen. I think kids are about to say that, you know until we get casualties. People won't just move. And so I always wanted to spread awareness now on best practices like organization, you should have backups. You should not have data that you don't need. That's basic if you need to adopt no governance, just don't store what you don't need. Because that's a liability that is useless to you and brings nobody, it's simple. And, but then know how to get people to care, should we get some extra bonus for people, you know, who would do well on awareness training, that could be something, learning how it works. And again, to understand if we, if we go back at the beginning of the hour, when we spoke about the restaurant, you know, the employee of a restaurant at the cash register, how to make sure that they follow the proper security stuff, let's say on the credit card thing, you know how to protect the customer data, what's going to be the incentive for them not to miss, I would like to avoid ending like China, where you have new that social credit rating, because when you think about that, what they did in China, the government associate credit rating, everybody knows they are being watched. And when someone is watching, you do what's right. But honestly, I am, the human nature to do better than that, we should be able to do better than that without being a big brother. Because I value privacy, I think you do. So maybe it's just going to be trade-offs. If you don't care about data protection, you're going to lose privacy. We're gonna just watch you non-stop. Yet people buy smart speakers and ring doorbells and stuff. And they still give it privacy.

Debbie Reynolds  41:44
If Alexander had his wish about anything in the world about privacy. And, you know, we did everything that you say, right? If it was the world, according to you, what do you want privacy to be either in regulation and technology and how humans deal with data? What are your thoughts?

Alexandre Blanc  42:07
It's challenging stuff because I am wham. And I would, and I would love to see everything encrypted. And any access to the encrypted data, be a one-time token for whoever I Hello, to achieve. So basically, and I could do like monthly stuff, you know, you want to make money from my bank, I'm gonna allow you a token once a month, and I will validate it. So I have control, I could automate my choice. But you know, give control to people. But I understand that a lot of people just don't want to think about it. Because you are in the field, I am in the field. I do that all the time. But if I didn't know, delivery guy, or you know, just cutting the grass for people around, I will not wish to spend all my time on my device, you know, just to do simple things. So it's very challenging, but what is sure is, I expect any service provider, a third-party provider to encrypt everything to apply the best practices. And maybe we should have a rating, you know, Now today we have like some certification is O 7000, or whatever certification you want. If we could have a pubic rating when you go and shop anywhere, and you know what kind of risk like the ecology I think in Europe, I don't know, if it's the same year, you have this equality rating of the consumption of the stuff power consumption of your device, I think we have it here to the power efficiency, we should have the data protection efficiency. So when you go somewhere, you can actually assess the risk in a simple way. and accept to do that. And if you want to access something, we should have the ability to use fake identities tied to us. I don't know how we can do that, you know, but I can be an extra level of law. But if I go in some one-time use place, I'm going to be an actor. I should be able to use something a one-time use. So even if that organization can bridge whatever happened, I don't care because that can be used anywhere else a bit like these one time. Could you tell us but for your identity.

Debbie Reynolds  44:35
So I love that idea. Sort of rate, the risk, almost like the energy use. So let's say the risk is 90%. Or my, you know, like one to 100. You know, we do this thing as a 90, you know, on a scale of one to 100 or maybe it's a 20 or a 30. And then that way you can compare because right now people can't, they don't have any frame of reference, right. So let's try You don't use a coupon to buy shoes or something, you don't know where your baby is going, you don't know what the risk is what you don't even know the data that they're collecting. Right? Not just, that's why you're on a website that could fingerprint you and, you know, takes additional information that you never intended to share.

Alexandre Blanc  45:20
Yeah, and for each risk rating, we could have some basic recommendation to mitigate that, from the user standpoint, you know, that shop is dangerous, if you pay with your credit card pay with cash, that you just compensate the risk on your home. And if the and that people will understand, you know, you have that risk, and what to do to combat that, you see, once we understand that you want that, so is what action you should do and what you should not do. So, that could be something after all, because then consumers cannot be blaming anyone for not knowing this right now. The issue is that we trust blindly, without any way to take it. Well, correctly informed decision. There is no informed decision right now. So everybody's speaking about data-centric, okay, let's risk rate, every business every solution. And when you deal with these organizations, you know, the writing, it's not a big deal, the organization doesn't want to put any effort, they're going to be F and F will mean that there is no protection on this, this, this and that. And as a consumer, we just adjust no worry. No, no, no way.

Debbie Reynolds  46:33
Yeah. Oh, I love it. Oh, my goodness, that's really, really I was expecting to list for you. So that's great. So well, thank you so much. It's been great. Hope we have more chances to collaborate in the future. I really enjoy the knowledge that you share. And I learned so much from you and you are your newsletters are epic. So it takes me a while to get through those. But it's definitely worth it because you sort of keep on top of all these things. And so, you know, I love your passion. And I like the fact that you know, I always tell you online that we don't deserve you. So I feel bad when I read your newsletter, so I'm like, Oh my god, he put together so much information. This is ridiculous. You know, help helps me a lot because I can help you curate so much information. It's like helps me not to have to look for some of that stuff. That was great. Yeah, well, we'll definitely talk soon. Thank you so much. I really thank you. So bye-bye.