"The Data Diva" Talks Privacy Podcast
The Debbie Reynolds "The Data Diva" Talks podcast features thought-provoking discussions with global leaders on data privacy challenges affecting businesses. This podcast delves into emerging technologies, international laws and regulations, data ethics, individual privacy rights, and future trends. With listeners in over 100 countries, we offer valuable insights for anyone interested in navigating the evolving data privacy landscape.
Did you know that "The Data Diva" Talks Privacy podcast has over 480,000 downloads, listeners in 121 countries and 2407 cities, and is ranked globally in the top 2% of podcasts? Here are more of our accolades:
Here are some of our podcast awards and statistics:
- #1 Data Privacy Podcast Worldwide 2024 (Privacy Plan)
- The 10 Best Data Privacy Podcasts In The Digital Space 2024 (bCast)
- Best Data Privacy Podcasts 2024 (Player FM)
- Best Data Privacy Podcasts Top Shows of 2024 (Goodpods)
- Best Privacy and Data Protection Podcasts of 2024 (Termageddon)
- Top 40 Data Security Podcasts You Must Follow 2024 (Feedspot)
- 12 Best Privacy Podcasts for 2023 (RadarFirst)
- 14 Best Privacy Podcasts To Listen To In This Digital Age 2023 (bCast)
- Top 10 Data Privacy Podcasts 2022 (DataTechvibe)
- 20 Best Data Rights Podcasts of 2021 (Threat Technology Magazine)
- 20 Best European Law Podcasts of 2021 (Welp Magazine)
- 20 Best Data Privacy Rights & Data Protection Podcast of 2021 (Welp Magazine)
- 20 Best Data Breach Podcasts of 2021 (Threat Technology Magazine)
- Top 5 Best Privacy Podcasts 2021 (Podchaser)
Business Audience Demographics
- 34 % Data Privacy decision-makers (CXO)
- 24 % Cybersecurity decision-makers (CXO)
- 19 % Privacy Tech / emerging Tech companies
- 17% Investor Groups (Private Equity, Venture Capital, etc.)
- 6 % Media / Press / Regulators / Academics
Reach Statistics
- Podcast listeners in 121+ countries and 2641+ cities around the world
- Over 468,000 + downloads globally
- Top 5% of 3 million + globally ranked podcasts of 2024 (ListenNotes)
- Top 50 Peak in Business and Management 2024 (Apple Podcasts)
- Top 5% in weekly podcast downloads 2024 (The Podcast Host)
- 3,038 - Average 30-day podcast downloads per episode
- 5,000 to 11,500 - Average Monthly LinkedIn podcast posts Impressions
- 13,800 + Monthly Data Privacy Advantage Newsletter Subscribers
Debbie Reynolds, "The Data Diva," has made a name for herself as a leading voice in the world of Data Privacy and Emerging Technology with a focus on industries such as AdTech, FinTech, EdTech, Biometrics, Internet of Things (IoT), Artificial Intelligence (AI), Smart Manufacturing, Smart Cities, Privacy Tech, Smartphones, and Mobile App development. With over 20 years of experience in Emerging Technologies, Debbie has established herself as a trusted advisor and thought leader, helping organizations navigate the complex landscape of Data Privacy and Data Protection. As the CEO and Chief Data Privacy Officer of Debbie Reynolds Consulting LLC, Debbie brings a unique combination of technical expertise, business acumen, and passionate advocacy to her work.
Visit our website to learn more: https://www.debbiereynoldsconsulting.com/
"The Data Diva" Talks Privacy Podcast
The Data Diva E6 – Patrick Kelley and Debbie Reynolds
Debbie Reynolds, “The Data Diva,” talks to Patrick Kelley, Chief Technology Officer of Critical Path Security, a premier cybersecurity advisory company. We discuss FIDO (Fast Identity Online), the critical need for a cybersecurity plan and business continuity, proactive approach to cybersecurity, communicating cybersecurity in ways they understand, the basics that businesses miss about cybersecurity, the differences between data privacy and cybersecurity, the increased risk of over-retention of data, the use of geofencing, indiscriminate data collection, the data privacy and the risks of shadow IT, data breach risks with C-suite executives, the need for a culture of cybersecurity, why cybersecurity insurance is not a substitute for cybersecurity, the repercussions for data breaches, the future of data privacy, trust and bundled services.
Data Diva and Patrick Kelley
40:53
SUMMARY KEYWORDS
people breached, company, data, Cybersecurity,, problem, security, privacy, organizations, allergy, called, feel, sandwich, find, work, person, Argentina, passwords, two-factor authentication
SPEAKERS
Debbie Reynolds, Patrick Kelley
Debbie Reynolds 00:07
This is Debbie Reynolds, "The Data Diva Talks" Podcast. I am super happy to have Patrick Kelly on the podcast today. So Patrick is the founder of Leargas Security and Critical Path Security. He has over 25 years in the Information Technology industry with information, emphasis on information security, and network security. He's been on panels with members of the FBI, CIA, NSA. He's also a Cybersecurity expert for NBC News. He also has a lot of his research covered in publications like Fortune, Bleeping Computer, CNN, The Guardian, The Globe, The Mail, and Krebs Security Online. Without further ado, I want to talk to Patrick. I'm excited to have you on the program. You and I had done an MIT panel. The MIT folks called me up and asked me to be on a panel with you. I absolutely can't wait to do it. It was a great panel. It was a good panel. It was about FIDO [Fast ID Online]. And it's not something that you hear a lot of people talking about. I think not enough, at least. So what were your thoughts about it,
Patrick Kelley 00:54
Hi. It was one of the more rare talks and conversations that I've had. And in fact, I think that it might have only been the second time I've ever been asked to come and speak about FIDO. I've often called to talk about how terrible passwords are. And we do a ton of incident response with organizations that are breached due to credential reuse, and, and not using password managers and having insecure passwords, that sort of thing. But when that, I reached out and asked, do you want to talk about FIDO, and I was thinking, wow, this is going to be a very interesting audience. You know, if they're, if they're gonna dial into to hear about that, so I enjoyed it because it was different. It wasn't just kind of the traditional, use password managers, do use two-factor authentication, we kind of broke out of that cycle, and it was good.
Debbie Reynolds 02:16
I don't know about you, and there are certain things that drive me crazy. It's like, it's like fingernails on a chalkboard. So what thing drives you bananas, that businesses do that you think they need to know, right now,
Patrick Kelley 02:29
The thing that drives me crazy is, they often don't have a plan. And, how building a plan on how you're going to respond to an incident or how you're going to conduct yourself, in those harder times, you don't have to make a significant financial investment, to just build a plan. And, there's a, there are a million things that when I started 20 years ago, or so, however long it is now and just weird COVID time travel. And, I didn't expect that, the problems I had, then we're gonna still be the same problems that are in organizations today. But it lacks a plan. And, and we will speak with organizations and, the common sort of statement as to why they don't do it, and they don't take the effort is because they don't feel like they're important enough, they don't feel like it's going to happen to them. They've never heard of a company like theirs that had been breached before. You know, and I always respond to those questions as well, the reason that you don't hear about companies like yours that have been breached is that they're gone. If you look at Target, and you look at Home Depot, and you look at Anthem, these other companies they have war chests, of money and they have, proper fit Cybersecurity insurance, and they can suffer the sort of the impact of reputational damage, and I mean, heck, Target ended up going on to make to become even more wealthy on the other side of the bridge, but when he sent across a multi-generational company, where the grandfather had started this and willed it into existence, and the father carried along and then they the third generation is there, and you're having to explain to the grandson that because of one email that was clicked, that 60, 70 years of effort is about to be unwound and he's going to go work for somebody else. It is absolutely devastating. And it's just frustrating that we just don't take the time to write a plan. Just know what you're gonna do.
Debbie Reynolds 04:52
Yeah, exactly. I know, for years, in MBA programs or business programs, they always talk about business continuity. And a lot of business continuity plans, unfortunately, didn't really roll in Cyber. And they certainly weren't thinking about pandemics a lot of them. So I mean, now business continuity is like a hot new word. Now it's been around for a while. And then too, I think, the frustration that I have, and I know that you have to be a Cybersecurity person, is that people think Cybersecurity should be reactive, as opposed to proactive, so they're not as interested in investing proactively, even in just the effort of like I said, planning, because then when something happens, like, Oh, well, now I'm gonna call a Cybersecurity person, they're gonna save me, it's like, well, no, that's not exactly how it happens.
Patrick Kelley 05:50
No, and you ask a question about what frustrates me with businesses, but, what really frustrates me, in our industry, is that we all want to go out, at least when we start, it seems that we all want to go out. And we want to be the first group that built the new cool thing. And, and it's got to be machine learning with some AI and some blockchain and some blah, blah, buzzword Bingo. But, why it, we have all of the blinky light boxes that we need. And the amazing people that I've known in my career in Information Security, they didn't build anything. They, they were never software engineers, they were the people that I reported to, that we're capable of taking, complete and total geekaness. And, and they could, they could fit it into the business, and they could associate risk to it. And they and I knew how to they understood their board of directors, they understood the culture at our company. They didn't build anything in Python. They were the people that had the ability to make any of that effort worthwhile. And in our industry, this sort of gatekeeping, where if you don't have these 12 certifications, and you're not an OSCP, and you don't write fluently in Python, I mean, that, that, that has got to go, because we don't need people. You know, as much as we think we do that our elite hackers and just, what, that, ten multiple, or multiple engineers or whatever the old the terminology that went out for 10X engineers, we need people to communicate to the companies in the way that they understand, because I do believe that a lot of our breaches and our data as being leaked, is being done, because we are so impressed with ourselves and Cybersecurity, that we don't, we feel like the rest of the world, and the C Suite has to come to us. And surprise, like, that's not the reality.
Debbie Reynolds 08:29
Well, I mean, you have to meet people where they are, right. So agreed, I had a conversation with some really brilliant Cybersecurity women in Africa. Fantastic. And some things that they were saying, which is true. So when you think about the breaches that you hear about on the news and certain companies, it's no one. It wasn't Tom Cruise hanging from the ceiling with a wire. It was like someone's password was taped on their monitor, and someone got it like, that's what happens. So thinking about not just like you said, not just the blinky light box thing about Cybersecurity, but just the regular protocols that you should be doing that don't cost you anything as it costs you nothing to clean your desk, at the end of the day, or it costs you nothing to print sensitive documents and have your kid like writing their homework on it like that cost nothing.
Patrick Kelley 09:27
Absolutely. And, I was teaching a class in Argentina and through The Mentor Project just two or three weeks ago. And, my advice to them was, go get a password manager and do two-factor authentication. It's free. You can get a personal LastPass account for free. You can get a duo a personal account for free. These aren't this isn't anything that you have to go and wreck your household budget. And, those are things where like we were working in incident response last week. And we're kind of to the reporting process of that right now. And we're working with the FBI and Secret Service and getting some stuff moved around. But a lot of what we're finding that was involved in that breach was just credential reuse. So if you go get a password manager, and you don't reuse passwords, it makes such a huge difference. And if you use two-factor authentication, but you bring up something interesting, because it was when we were discussing it with kids in Argentina and with the businesses in Argentina. You know, what we fail to recognize is that, in the United States, we have this massive information, security budgets, and we get it wrong. And in Africa, and in Argentina, and Venezuela, and so many other countries that I work with, that don't have these massive budgets, they do just as an effective job, as we do most of the time because I've come to find that they're just more resourceful. They go and find the thing that works, even if it's not, a new PO, that's got to be cut. They're just more resourceful. So I'm glad you brought that up. I really am. There's a lot of really easy ways for people to help themselves. And we'd have to do it.
Debbie Reynolds 11:28
Yeah, exactly. So I think, instead of looking at the new higher price tag Ferrari that you have, maybe you just need to pick up the broom and mop that you have in the cupboard and do just some housekeeping. Perhaps.
Patrick Kelley 11:42
That's why I say that you're brilliant. That's, that is a phenomenal analogy on what it is you don't want to give a 16-year-old a Ferrari, they're gonna put it in the wall. See, you can do just as good of a job with a Honda if how to use it. Absolutely. So what we need to do is just we need to send brooms to everybody. I think that's it.
Debbie Reynolds 12:06
Exactly, exactly. I love your thoughts. I would like to always ask people the difference between Cybersecurity and privacy. I feel like especially in the news, you do a lot of stuff the media many times they confuse those terms, or they don't understand that they're sort of different disciplines. They have a symbiotic relationship. I want to your point of view about those two disciplines and how they work together.
Patrick Kelley 12:31
I feel like yes, they intertwine. But data privacy and violations of it are typically the output of poor cybersecurity hygiene. And that's typically that's quite often where that that behavior in that relationship ends, my issue with privacy and with data that that has been used against, myself and everyone else is, quite often I find that it's data that's retained about people that doesn't have any utility in the business. And there's kind of hope, or there's a fear, that down the road, a company is going to build some sort of program or a platform or, and, and they're going to need all this data. What's so frustrating to me, and I do too, and I tell on Security Awareness training is that you don't have to protect what you don't have. And if you don't have the budget to secure everything, and no organization has the budget to secure everything. Why are we collecting things about people in Clinton harvesting personal data on every person that we work with that doesn't have any utility, and it frustrates the hell out of me. Because sure, Cybersecurity, it, it can be a control, to help protect data privacy, but at the same time, if you're not collecting it, we don't have to, we don't have to try to find how to make that control work. So that's kind of how I feel about it, but recently, I had an event that I don't know that changed my opinion, but it definitely gave me a moment of pause. And there was a in the past, I've largely been pretty averse to Geofencing and, and harvesting that data that I worked with a news station here in Atlanta. There was an individual that was accused of killing his parents. And he, he was arrested, and even his family members came out and said, yeah, he's a killer. And there was no way this person was ever getting out of jail. And it was a typical stereotype situation, and it was terrible. And they ended up using Geofencing to prove that he was never there. But at the same time, they were able to use Geofencing to determine who was there at that point in time. And then they were able to correlate that with pawnshop proceeds, he still spent 13, 14 months in jail. And, for the rest of his life, there's going to be that impact of his own family, thinking that he was a killer. And it's not that I'm not grateful that Geofencing and that privacy being collected was useful, and I was thrilled to learn that he was exonerated and the killer was brought in. But I am concerned about how that data is used without us knowing it. And, the organizations kind of take for granted what they have.
Debbie Reynolds 15:53
Absolutely. So I actually read the article, because you were quoted in an article, and it was really interesting. You know, I have a problem, geo-fencing, too. And that is related to indiscriminate data collection. So the situation that you talked about, it's exactly the way geo-fencing should be used, like, there's a crime has been committed, they're trying to give more information is very targeted to that date and time that place is not just getting everyone has a police car, record everyone's license plate. Yeah, rolling down the street or something like that.
Patrick Kelley 16:31
Yeah.
Debbie Reynolds 16:32
But yeah, I also think, the other point that you have brought up, which I always like talk to people, which is data retention, like we have data retention problems all over the world like this is people keep way too much data. And it especially legacy data. So when I'm talking to people, when I'm talking to companies about what their processes procedures are, and how they do XYZ after they give me their whole spiel, I say, so where is that room? Where's the room where that all that stuff is in? Some old server is plugged in somewhere that no one wants to? Right? But nobody wants to talk about like, Where's that? You know, so it's sort of like that, that legacy data, people, keep it because they think it has some value. But what they don't realize is that that may be some of their biggest risks because that's probably the easiest way for a hacker to get into their system. And then because it's the data, so although they don't know what's there, they're gonna spend a lot of money trying to figure it out.
Patrick Kelley 17:31
You know, you're absolutely right. And, and what compounds The problem is, is shadow IT and Cloud That that is sheer arrogance. But we'll start at the beginning, and then we'll move to arrogance. You know, we, in line with what you are saying, exactly where you're saying, we have individuals that go in organizations, and they're in development, they're in the Dev team or Dev Ops team. And they don't want to wait to go through the procurement process and to get a PO issued for a new server. So they just go and spin one up in AWS, or they spin up a line node or something Google Cloud, and they don't tell anybody they're doing it because they're going to use a free, a free tier node. So they go and get old data because they're arrogant enough to believe that they know everything about where they're going to put this data. And they're arrogant to the point of not understanding that just because the data has a date on it, that doesn't actually reduce its value. So, yeah, yeah, exactly what you said, thanks. OK, this is great. I love the show horse thing that you're doing for me, where you're bringing out all your policies, and you're bringing out all your, your methods and your guidelines and your standards. But, and I appreciate the show with that with the show horse. But but but I'm a plow horse. You know, and I'm not here for the show. I'm here to work the plow. And when I look to see that you've shoved my information into an AWS instance that the company doesn't know anything about, because it's free. How should I feel about your company that one of your engineers had the ability to just go and take my data whenever it was created and use it for a profit. And just a discounting that my DNA, my biometrics, my, any allergies that I have? Thank you, Starwood Marriott, and my birthday, that you just shove that out there. There's a good chance about a time from here to the point that I died, and I'm still going to have that allergy, right. And I don't really need the world to know it just so that you can get some rewards points.
Debbie Reynolds 20:00
Exactly, or that insurance decides, they don't want to insure you, because somewhere down the line, they get that information that you didn't even know that it got passed over to someone else.
Patrick Kelley 20:10
It already happened to me. Yeah. In actuality, I went for life insurance just about four months ago, four or five months ago. And, and we still haven't resolved it. But we have three carriers that just fast denied me. I don't mind calling them out because they discounted me, but Prudential, Blue Cross Blue Shield. And then MetLife, all three of them, went and found something that had nothing to do that I didn't even know about. But while we're picking on people? Do you know? Why do I have to fill out my name address my allergies to get a sandwich from Publix?
Debbie Reynolds 20:56
Absolutely.
Patrick Kelley 20:58
I'd, and I reached out to them on Twitter. And I'm like, why are you accepting the risk of holding this data to sell me cold cuts? Like, it's a $5 sandwich. Like, why are we?
Debbie Reynolds 21:13
Well, what, this is actually interesting. I'm glad you brought this up. So I can tell you exactly why this happens. And there's a legal lipstick reason. OK, so there was a company I can't remember. Pret A Manger or something. OK, they had, they sell sandwiches, so they have something that they're supposed to put on the sandwich. It has peanuts or something in it. Anyway, some person bought a sandwich, or they had peanuts, and it wasn't labeled, and they died. And so now sandwich shops, they either try to like superduper label stuff or like Publix, they're taking maybe a strange tack by trying to find out whether you have an allergy. So if something happens to say, Patrick said you didn't have an allergy or whatever.
Patrick Kelley 22:00
So yeah, but that's such a chicken and egg, sort of argument, right? It was like, an OK, I have a peanut allergy. I feel like I should be responsible for telling the stranger that's gonna make a sandwich. You know, hey, don't put it over there about a Peter Pan peanut butter. You know, I'm a kind of a Jif guy, like the problem with, with that? You know, and I don't really need to know that the coffee's hot. Cuz I just ordered hot coffee. Yeah. Again, where does it stop?
Debbie Reynolds 22:38
Oh, exactly. Exactly. I heard a statistic that said credit card companies make more money on the data they sell about people than fees. So a lot of people, they don't want to spot the spot. This, the gravy train, is happening. One thing that you mentioned, I will talk about a little bit more about is Shadow IT. So I've heard a lot of different things. I actually was part of a group where they were trying to say that this will lawyers are saying maybe we should embrace Shadow IT, and I'm not comfortable with that. You know, I guess I have a lot of feelings about it. I just wanted to know what your thoughts were? And then I can tell you what I think,
Patrick Kelley 23:24
Yeah, I'm actually really interested in what you think. But that, that I'll lean in, my thing is that I would love to know, an argument where the company believes that taking data, and or having assets that are assigned to them legally, and not having a record of it is somehow of value, or it has some sort of a benefit because I don't matter how hard I try, I can't get there if I came to work and I found out that, data had been taken and thrown into a server that I knew nothing about, but I was legally responsible for, because it was built on behalf for CriticalPath security from one of my teammates, and that I had customer data on it. Yeah, that's a hard no. So I mean, I'm, I'm good all day with embracing Cloud, right. I mean, I started way back in the day. I used to manage exchange mail servers and Lotus Notes and GroupWise. And this is way, way, way back. And, back in a time where the music I listened to is still cool. So that kind of gives you a perspective there. And, and so I remember that it was kind of complicated then. And like Exchange servers now are so complicated, you need a team, and business intelligence platforms are so complicated you need a team. So I get Cloud right some things that we want are so complex that staffing an organization to maintain and care and feed for it is difficult, but I can't get there. I can't get there with Shadow IT like willful ignorance, so you have something living out there just doesn't work.
Debbie Reynolds 25:25
Yeah, I'm totally not a fan of Shadow IT at all. Because it to me, when you dig down, you drill down deep, deep enough is typically a person just doesn't want to follow the path of whatever it is that that the company has decided. So, I've had people I had a woman once to tell me; we were decommissioning this old, this really old legacy system, for one that actually worked and did stuff. And she was very familiar with that old system. But she didn't want to go to this new system; we had done a lot of one on one stuff. And she might literally say, like, you have to, like pry this from my cold dead fingers before you get out of my hands. Challenge accepted. I was like, Duly noted, we may have to do that. So a lot of it we drill down to it is people really not wanting to embrace the path that the company has. And it really is a huge risk. So I think, I wouldn't allow people to do it, even though I see especially at smaller companies, where it's like, oh, the CFO CIO wants to do something different than everyone else, or, to someone in the C Suite or something, everyone else has these other rules, like, for example, about passwords. Everyone has had passwords to change every few months. And they have to be a certain complexity. But these C Suite guys, they have different things. And to me, that as a direct correlation those are the people who end up getting your company breached because they're doing something different than everyone else is like almost like the, you see the penguins huddled together. It's the ones on the outside. You're like a target. Those are the people that have a problem, right.
Patrick Kelley 27:09
They're the ones that feed. Yeah, exactly. You know, you're absolutely right. And you bring up an interesting point. And, and one of them's a little bit of a trigger, and in the back, could be a little bit of a trigger for some and, and for the last 30 seconds. I'm like, man, should I say it should just keep my mouth shut. But I'm gonna say it because I've never really good about keeping my mouth shut unless there's a foot stuck in it. Validating doing the wrong thing because it had the right outcome isn't that's not valid. And I think we have a lot of the societal and cultural problems that we're having right now, across the entire world, but heavily in the United States, because we're doing things that we know, groups of us are doing things that we know, are wrong. And then we're validating it because it just happened to turn out right. And because something turned out right doesn't mean that it is right. But you mentioned a C Suite. And you're absolutely correct. And it's not just there either. Like we had an issue, we were called in to do an audit of GDPR for a firm in New York. And I remember sitting down with them, and they're very angry that GDPR existed. And they are they're actually lashing out a bit on me about GDPR existing, and I'm sitting there going well, OK, well, you're the attorney. So I tell you what, stop creating it. You know, but GDPR exists because we couldn't act, right. Like, there wouldn't be privacy rules if we didn't abuse people's privacy. But, we ended up not taking the job. Because the attorneys were very forthcoming that they were not going to adhere to it, that they were going to have the staff do it, that they're gonna have everyone else do it. But by God, they were partners, and they billed out at 750 an hour, and they weren't going to have anything getting in their way. And so, you're right; there's kind of this sort of mentality that, none of this applies to me. And even when the breach occurs, they still don't believe that it applies to them.
Debbie Reynolds 29:35
Yeah. It has to be a culture. It has to be a culture of top-down security. And, it has to be the top guys following it just like everyone else at the bottom. Chances are if your company gets breached is not the low-level employee. They get breached. It's probably a high-level person who is not doing what they're supposed to do. Or someone has their credential and, like, like, maybe the one other target is like the secretary of a C-suite person. So a lot of times, they have their secretary logging in as them doing different things. You know, some people like we, when we're reading in the newspaper, where they say, this company, they lost this money because someone sent someone requested change the routing number, three o'clock in the morning, and if we're thinking out from the outside looking in, well, that person think it is unusual, but this actually happens in companies. So the problem is the culture of a company that needs to not be acceptable, or it needs to be a situation where a person feels like they have the ability without repercussions to be able to go up to someone and say, Did you really send this, this is OK to do?
Patrick Kelley 30:48
Well, you're absolutely right in that in and I find that, when we're doing security audits, so so by the way, if there are any potential customers ever out there that end up hiring us, I'm going to give you a little bit of a cheat sheet. You know, when we make phishing attacks, we target that. We look at the culture, we look at Glassdoor, is this a company that works for their staff at crazy hours, and their staff feels like they have to overachieve or they're fired. And we will send phishing emails to the support staff at three or four in the morning because we know that they're going to come in first. And they are so eager to please because they're in a culture where being honest and telling the truth is almost a detriment. And so they're going to do whatever they need to do to look like they're, they're competent, and they're doing the right thing. And we always go back to the company and say, why did your employee feel like, for them to be recognized, and to do well here? Why did they feel like they had to work at 3:30 in the morning and send out an email without doing any approval? What what, what led to that, because that's simple to me, that is a huge cultural red flag.
Debbie Reynolds 32:16
I like the fact that you say you do that because you can't turn a blind eye to culture like culture explains a lot of what happens within organizations, and then leaders have to be accountable for that. I don't know how you feel about this with insurance. So well, Cyber insurance, people feel like I don't need Cybersecurity because I have Cyber insurance or whatever happens, they're gonna pay for it. It's like, you're not patching your servers and doing just the basic things, you probably aren't going to get paid out for that.
Patrick Kelley 32:44
I'm telling you right now that that's the case. I think I'm on my eighth or ninth phone call today. And for those phone calls have been with insurance companies, and with insurance companies and and and the actual, the insured. And on two of those calls, the claims are currently being reviewed as to if they will actually pay those or not. Because there were machines that weren't patched, there was credential reuse, and there was a kind of a lacking of proper compensating controls. They hadn't had a pen test in years. There's, there's, and then we're finding 2000 servers and 2003 servers that are sitting on the network with old database platforms and those
Debbie Reynolds 33:27
back rooms,
Patrick Kelley 33:29
those back rooms. If I put it over here in the corner,
Debbie Reynolds 33:34
yeah, exactly. Exactly. Nobody will see it. Precisely. What is it? If you had to, cause I think both of us work on the intersection of privacy and Cybersecurity. I'm more on privacy or more Cybersecurity. But if you had one wish, if the world, according to Patrick, about privacy laws, and things like that, that happen, what will be your desire?
Patrick Kelley 33:58
Stronger repercussions, straight out of the gate. Stronger repercussions. I mean, when, when Anthem, when when, when Equifax got breached, the payout to a user if a user got paid out at all was $36. Right. Any year for credit monitoring. Why is that going to prevent any company from doing anything? You know you look at other companies that have been breached. And, they ended up spinning the media in a way that they got a huge breach. And they minimized, but then they maximized how often they reached out to talk about the amazing things that they were doing and how they're such a better company. And they're going to come through it, and I turned it into this by turning incompetence into a hero story. And then the stock goes through the roof, and they make more money. But there's no yeah, there's no repercussion, and we're the ones that get, that gets attacked.
Debbie Reynolds 35:04
Absolutely, it has to be more consumers, not consumers, humans, right? So I think, because not every human is a consumer, we need to think of it as a human problem. And Equifax, in particular, is extremely dangerous because, as you said, if you have a peanut allergy, now, you're gonna have ten years from now. So some of the information they capture will be in use for many, many, many years, not just the one year of credit monitoring or whatever. Lord knows what is going to happen with that data down the line.
Patrick Kelley 35:38
When I don't think, and again, I just don't think that they care. Yeah, for instance, part of the Equifax breach was somebody leaving default credentials in place on a border server that had individuals data on it. And that to me, like, you can tell me that you worry about my privacy and you care about how you're acting. But, the words cheap. I mean, the actions, on the other hand, show that you don't really care about any of us. Yeah, yeah. But I've, I've come to tell people that we have to be very, very picky now, about who you're willing to create an account with, you have to be very careful about what information that you provide them, and you have to make a choice as to if it's worth it. Because there has been implied trust and implied confidence that that, Facebook, and the rest of these that are companies, cared about us. And that the things that they said that, that that they that they're really going to do them. But there's election fraud, and there are data breaches we have to deal with,
Debbie Reynolds 36:48
I think there's going to be a huge consolidation. So it's going to switch from the company power to the individual power. And people are gonna go and find companies they trust, and they're going to share more data with them, and they're not going to share with like, 1000s of other people.
Patrick Kelley 37:01
So when does that happened?
Debbie Reynolds 37:05
I think it is going to happen, first of all, because of iOS14. So basically, they took a really bold step to say let the consumers decide and let consumers consent to stuff and let them know what they're doing. But part of that play is to say trust us to trust Apple give us more of their stuff is not a coincidence now they're run, they're rolling out bundled services. So I think the future is bundled services with trusted companies and these other people, and you can't get people to trust, it's gonna be hard for them to be able to compete in the marketplace with these bigger companies if they trust them.
Patrick Kelley 37:42
I think my only argument to it is there's a point in time that we trust the companies that now we don't trust anymore. It's true. And we, we seem, and this isn't the only kind of industry or category that fits in it. You know, it just seems that we trade friends and adversaries, like baseball cards.
Debbie Reynolds 38:05
Yeah. Yeah.
Patrick Kelley 38:05
The companies that, the companies that say that we should trust them now.
Debbie Reynolds 38:11
Right,
Patrick Kelley 38:11
You know, how's it gonna be, a little bit down the road when we can't?
Debbie Reynolds 38:16
Absolutely, that's so true. I had not thought about that. Well, I would love for you to tell people how they should be able to contact you.
Patrick Kelley 38:23
You know, I'm pretty easy to find, Patrick Kelly on LinkedIn, you can reach me on Twitter at pkelley2600. I'm an old, old hacker 2600 head from the '90s. So pay homage. You know, and you can find us any of those ways, or you can Google Critical Path Security. But, Debbie, always, you always know how to find me.
Debbie Reynolds 38:48
Absolutely.
Patrick Kelley 38:49
Find me. Just go to Debbie.
Debbie Reynolds 38:51
That's right. Exactly.
Patrick Kelley 38:54
She's The Diva, thank you very much.
Debbie Reynolds 39:00
Well, thank you. This is a fantastic show. And I really hope people reach out to you. You're just so whip-smart. I think the reason why I really, really like you is you're very plain-spoken like me. And I don't know. Maybe we get hot water for that. But I like it!
Patrick Kelley 39:16
the minute we talked the first time at a planning meeting at MIT, I was very impressed. You really understand the problem set, and you approach it in a way that even though it's a tough subject, you approach it with calm and comfort. You know, you're brilliantly intelligent, and in any interaction that I've had with you, whether it be this or MIT or even a message on LinkedIn, I always feel better after it. So even if I'm having, even if I'm smiling, I'm having a good day, and today's been a good day like, when we get to the end of my conversations with you, you just make me feel better. And if you're going to deal with difficult stuff like this and this subject matter, it's a quality that I really appreciate. So the honor is mine to be on your show today. You're absolutely the diva, and I feel incredibly honored. So whenever I can help you out or do anything for you just, let me know.
Debbie Reynolds 40:19
Oh, same here. Thank you. That was so sweet. Oh my god. I don't have to record that and put out a ringtone or something.
Patrick Kelley 40:27
Play it back to yourself. Sometimes you gotta have a little bit of that outside. Yeah, exactly what someone cares for me today.
Debbie Reynolds 40:35
Exactly. That's amazing. Well, so, so glad to have you on the program, and I'm sure we'll talk soon.
Patrick Kelley 40:41
We will. Take care, my friend.
Debbie Reynolds 40:42
OK. Bye-bye.