Computational Biologist and Founder of Protocols.io, Lenny Teytelman (Part two)
We continue our conversation with Protocols.io founder Lenny Teytelman.In part two of our conversation, we learn more about his company and the use cases that made his company possible. We also learn about the pros and cons of mindless data collection, when data isn’t leading you in the right direction and his experience as a scientist amassing enormous amount of data.
Get the Free GDPR Attack Plan Video Course by Troy Hunt
Leave a review for our podcast & we'll send you a pack of infosec cards.
Geneticist and Founder of Protocols.io, Lenny Teytelman (Part one)
Reminder: it’s not “your data”.
It’s the patients’ data
It’s the taxpayers’ data
It’s the funder’s data
If you’re in industry or self-fund the research & don’t publish, then you have the right not to share your data. Otherwise, it’s not your data.
— Lenny Teytelman (@lteytelman) July 16, 2018
A few months ago, I came across Protocols.io founder Lenny Teytelman’s tweet on data ownership. Since we’re in the business of protecting data, I was curious what inspired Lenny to tweet out his value statement and to also learn how academics and science-based businesses approach data analysis and data ownership. We’re in for a real treat because it’s rare that we get to hear what scientists think about data when in search for discoveries and innovations.
Data & Ethics Expert Dr. Gemma Galdon-Clavell: On the Breach of Trust (Part Two)
Dr. Gemma Galdon-Clavell is a leading expert on the legal, social, and ethical impact of data and data technologies. As founding partner of Eticas Research & Consulting, she traverses in this world every day, working with innovators, businesses, and governments who are are considering the ethical and societal ramifications of implementing new technology in our world.
We continue our discussion with Gemma. In this segment, she points out the significant contribution Volvo made when they opened their seat belt patent. Their aim was to build trust and security with drivers and passengers.
Gemma also points out that we should be mindful of the long-term drawbacks if you ever encounter a data breach or a trust issue – unfortunately, you’re going to lose credibility as well.
Gemma Galdon-Clavell: The Legal, Social, and Ethical Impact of Data and Data Technologies (Part One)
I wanted to better understand how to manage our moral and business dilemmas, so I enlisted data & ethics expert Dr. Gemma Galdon-Clavell to speak about her leadership in this space. As founding partner of Eticas Research & Consulting, she traverses in this world every day, working with innovators, businesses, and governments who are are considering the ethical and societal ramifications of implementing new technology in our world.
In the first part of our interview, Gemma explains why we get ethics fatigue. Unfortunately, those who want to improve our world are consistently told that they’re not doing enough. She also gives us great tips on creating products that have desirability, social acceptability, ethics, and good data management practices.
Allison F. Avery: Diversity and Inclusion
Data breaches keep on happening, information security professionals are in demand more than ever. Did you know that there is currently a shortage of one million infosec pros worldwide? But the solution to this “man-power” shortage may be right in front of and around us. Many believe we can find more qualified workers by investing in Diversity & Inclusion programs.
I wanted to learn more about the benefits of a D&I program, and especially how to create a successful one. So I called Allison F. Avery, Senior Organizational Development & Diversity Excellence Specialist at NYU Langone Medical Center, to get the details from a pro.
She clarified common misconceptions about Diversity & Inclusion (D&I) and offered a framework and methodology to implement D&I. She reminded me, “You should not be doing diversity for diversity sake.”
Allison F. Avery: How Infosec Can Implement Diversity & Inclusion Programs to Address Workforce Shortage and Make More Money Too
Creating a more diverse workplace isn’t about window dressing. It makes your company more profitable, notes Ed Lazowska, a Professor of Computer Science and Engineering at the University of Washington-Seattle. “Engineering (particularly of software) is a hugely creative endeavor. Greater diversity — more points of view — yields a better result.”
According to research from Center of Talent Innovation, companies with a diverse management and workforce are 45 percent more likely to report growing market share, and 70 percent likelier to report that their companies captured a new market.
I wanted to learn more about the benefits of a D&I program, and especially how to create a successful one. So I called Allison F. Avery, Senior Organizational Development & Diversity Excellence Specialist at NYU Langone Medical Center, to get the details from a pro.
In part one of our interview, Ms. Avery sets the foundation for us by describing what a successful diversity & inclusion program looks like, explaining unconscious bias and her thoughts on hiring based on one’s social network.
Cyber & Tech Attorney Camille Stewart: Discerning One’s Appetite for Risk (Part 2)
We continue our conversation with cyber and tech attorney Camille Stewart on discerning one’s appetite for risk. In other words, how much information are you willing to share online in exchange for something free?
It’s a loaded question and Camille takes us through the lines of questioning one would take when taking a fun quiz or survey online. As always, there are no easy answers or shortcuts to achieving the state of privacy savvy nirvana.
What’s also risky is that we shouldn’t connect laws made in the physical world to cyberspace. Camille warns: if we start making comparisons because at face value, the connection appears to be similar, but in reality isn’t, we may set up ourselves up to truly stifle innovation.
Cyber & Tech Attorney Camille Stewart: The Tension Between Law and Tech (Part 1)
Many want the law to keep pace with technology, but what’s taking so long?
A simple search online and you’ll find a multitude of reasons why the law is slow to catch up with technology – lawyers are risk averse, the legal world is intentionally slow and also late adopters of technology. Can this all be true? Or simply heresy?
I wanted to hear from an expert who has experience in the private and public sector. That’s why I sought out the expertise of Camille Stewart, a cyber and technology attorney.
In part one of our interview, we talk about the tension between law and tech. And as it turns out, laws are built in the same way a lot of technologies are built: in the form of a framework. That way, it leaves room and flexibility so that technology can continue to evolve.
Attorney Sara Jodka on GDPR and Employee Data, Part II
Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She’s in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In the second part of our interview, Sara will talk about the relationship between HR data and Data Protection Impact Assessments (DPIAs). Most companies will likely have to take the extra step and perform these DPIAs but there are specific triggers that Sara will delve into.
Attorney Sara Jodka on GDPR and Employee Data, Part I
Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She’s in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In this first part of the interview, we learn from Sara that some US companies will be in for a surprise when they learn that all the GPDR security rules will apply to internal employee records. The GPDR’s consent requirements, though, are especially tricky for employees.
Varonis CFO & COO Guy Melamed: Preventing Data Breaches and Reducing Risk, Part Two
In part two of my interview with Varonis CFO & COO Guy Melamed, we get into the specifics with data breaches, breach notification and the stock price.
What’s clear from our conversation is that you can no longer ignore the risks of a potential breach. There are many ways you can reduce risk. However, if you choose not to take action, minimally, at least have a conversation about it.
Also, around 5:11, I asked a question about IT pros who might need some help getting budget. There’s a story that might help.
Varonis CFO & COO Guy Melamed: Preventing Data Breaches and Reducing Risk, Part One
Recently, the SEC issued guidance on cybersecurity disclosures, requesting public companies to report data security risk and incidents that have a “material impact” for which reasonable investors would want to know about.
How does the latest guidance impact a CFO’s responsibility in preventing data breaches? Luckily, I was able to speak with Varonis’ CFO and COO Guy Melamed on his perspective.
In part one of my interview with Guy, we discuss the role a CFO has in preventing insider threats and cyberattacks and why companies might not take action until they see how vulnerable they are with their own data.
An interview well worth your time, by the end of the podcast, you’ll have a better understanding of what IT pros, finance, legal and HR have on their minds.
Dr. Wolter Pieters on Information Ethics, Part Two
In part two of my interview with Delft University of Technology’sassistant professor of cyber risk, Dr. Wolter Pieters, we continue our discussion on transparency versus secrecy in security.
We also cover ways organizations can present themselves as trustworthy. How? Be very clear about managing expectations. Declare your principles so that end users can trust that you’ll be executing by the principles you advocate. Lastly, have a plan for know what to do when something goes wrong.
And of course there’s a caveat, Wolter reminds us that there’s also a very important place in this world for ethical hackers. Why? Not all security issues can be solved during the design stage.
Dr. Wolter Pieters on Information Ethics, Part One
In part one of my interview with Delft University of Technology’s assistant professor of cyber risk, Dr. Wolter Pieters, we learn about the fundamentals of ethics as it relates to new technology, starting with the trolley problem. A thought experiment on ethics, it’s an important lesson in the world of self-driving cars and the course of action the computer on wheels would have to take when faced with potential life threatening consequences.
Wolter also takes us through a thought track on the potential of power imbalances when some stakeholders have a lot more access to information than others. That led us to think, is technology morally neutral? Where and when does one’s duty to prevent misuse begin and end?
Privacy Attorney Tiffany Li and AI Memory, Part II
Tiffany C. Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes and speaks on the privacy implications of artificial intelligence, virtual reality, and other technologies. Our discussion is based on her recent paper on the difficulties with getting AI to forget. In this second part, we continue our discussion of GDPR and privacy, and then explore some cutting edge areas of law and technology. Can AI algorithms own their creative efforts? Listen and learn.
Privacy Attorney Tiffany Li and AI Memory, Part I
Tiffany C. Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes and speaks on the privacy implications of artificial intelligence, virtual reality, and other technologies. Our discussion is based on her recent paper on the difficulties with getting AI to forget. In this first part , we talk about the GDPR’s “right to be forgotten” rule and the gap between technology and the law.
Rita Gurevich, CEO of SPHERE Technology Solutions
Long before cybersecurity and data breaches became mainstream, founder and CEO of SPHERE Technology Solutions, Rita Gurevich built a thriving business on the premise of assisting organizations secure their most sensitive data from within, instead of securing the perimeter from outside attackers.
And because of her multi-faceted experiences interacting with the C-Suite, technology vendors, and others in the business community, we thought listening to her singular perspective would be well worth our time.
What stood out in our podcast interview? When others are concerned about limited security budgets, Gurevich envisioned more hands on deck in the field of information security. The reason is that there are more and varied threats, oversaturated vendors in the marketplace, and a cybersecurity workforce shortage.
“What I see happening is that there’s going to be subject matter CISOs across the company; where there will be many people with that title that become experts in very specific domains.”
Also, now that cybersecurity concerns are not as industry specific, Gurevich does recognize that there are certain industries that are more at risk than others.
She approaches all industries with varying degrees of risk and threats, compliance requirements, and disparate systems all in a strategic way – by giving organizations the visibility into their data and systems, what they need to protect and how they need to protect it.
Penetration Testers Sanjiv Kawa and Tom Porter
While some regard Infosec as compliance rather than security, veteran pentesters Sanjiv Kawa and Tom Porter believe otherwise. They have deep expertise working with large enterprise networks, exploit development, defensive analytics and I was lucky enough to speak with them about the fascinating world of pentesting.
In our podcast interview, we learned what a pentesting engagement entails, assigning budget to risk, the importance of asset identification, and so much more.
Dr. Tyrone Grandison on Data, Privacy and Security
Dr. Tyrone Grandison has done it all. He is an author, professor, mentor, board member, and a former White House Presidential Innovation Fellow. He has held various positions in the C-Suite, including his most recent role as Chief Information Officer at the Institute of Health Metrics and Evaluation, an independent health research center that provides metrics on the world’s most important health problems.
In our interview, Tyrone shares what it’s like to lead a team of forty highly skilled technologists who provide tools, infrastructure, and technology to enable researchers develop statistical models, visualizations and reports. He also describes his adventures on wrangle petabytes of data, the promise and peril of our data economy, and what board members need to know about cybersecurity.
Dr. Zinaida Benenson and Phishing, Part II
Dr. Zinaida Benenson is a researcher at the University of Erlangen-Nuremberg, where she heads the “Human Factors in Security and Privacy” group. She and her colleagues conducted a fascinating study into why people click on what appears to be obvious email spam. In the second part of our interview, Benenson offers very practical advice on dealing with employee phishing and also discusses some of the consequences of IoT hacking.
Dr. Zinaida Benenson and Phishing, Part I
Zinaida Benenson is a researcher at the University of Erlangen-Nuremberg, where she heads the “Human Factors in Security and Privacy” group. She and her colleagues conducted a fascinating study into why people click on what appears to be obvious email spam. In the first part of our interview with Benenson, we discusses how she collected her results, and why curiosity seems to override security concerns when dealing with phish mail.
Roxy Dee, Threat Intelligence Engineer
Some of you might be familiar with Roxy Dee’s infosec book giveaways. Others might have met her recently at Defcon as she shared with infosec n00bs practical career advice. But aside from all the free books and advice, she also has an inspiring personal and professional story to share.
In our interview, I learned about her budding interest in security, but lacked the funds to pursue her passion. How did she workaround her financial constraint? Free videos and notes with Professor Messer! What’s more, she thrived in her first post providing tech support for Verizon Fios. With grit, discipline and volunteering at BSides, she eventually landed an entry-level position as a network security analyst.
Now she works as a threat intelligence engineer and in her spare time, she writes how-tos and shares sage advice on her Medium account, @theroxyd
Attorney and GDPR Expert Sue Foster, Part 2
Sue Foster is a London-based partner at Mintz Levin. In the second part of the interview, she discusses the interesting loophole for ransomware breach reporting requirements that’s currently in the GDPR However, there’s another EU regulation going into effect in May of 2018, the NIS Directive, which would make ransomware reportable. And Foster talks about the interesting implications of IOT devices in terms of the GDPR. Is the data collected by your internet-connected refrigerator or coffee pot considered personal data under the GDPR? Foster says it is!
Attorney and GDPR Expert Sue Foster, Part 1
Sue Foster is a London-based partner at Mintz Levin. She has a gift for explaining the subtleties in the EU General Data Protection Regulation (GDPR). In this first part of the interview, she discusses how US companies can get caught up in either the GDPR’s extraterritoriality rule or the e-Privacy Directive’s new language on embedded communication. She also decodes the new breach notification rules, and when you need to report to the DPA and consumers. Privacy and IT security pros should find her discussion particularly relevant.
Troy Hunt and Lessons from a Billion Breached Data Records
Troy Hunt is a web security guru, Microsoft Regional Director, and author whose security work has appeared in Forbes, Time Magazine and Mashable. He’s also the creator of “Have I been pwned?”, the free online service for breach monitoring and notifications.
In this podcast, we discuss the challenges of the industry, learn about his perspective on privacy and revisit his talk from RSA, Lessons from a Billion Breached Data Records as well as a more recent talk, The Responsibility of Disclosure: Playing Nice and Staying Out of Prison.
After the podcast, you might want to check out the free 7-part video course we developed with Troy on the new European General Data Protection Regulation that will be law on May 25, 2018 – changing the landscape of regulated data protection law and the way that companies collect personal data. Pro tip: GDPR will also impact companies outside the EU.
John P. Carlin: Emerging Threats (Part 4)
In this concluding post of John Carlin’s Lessons from the DOJ, we cover a few emerging threats: cyber as an entry point, hacking for hire and cybersecurity in the IoT era.
One of the most notable anecdotes are John’s descriptions of how easy it was to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and most destructive botnets are widely available to shoppers. Also, expect things to get worse before they get better. With the volume of IoT devices now available developed without security by design, we’ll need to find a way to mitigate the risks.
John P. Carlin: Ransomware & Insider Threat (Part 3)
We continue with our series with John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division. This week, we tackle ransomware and insider threat.
According to John, ransomware continues to grow, with no signs of slowing down. Not to mention, it is a vastly underreported problem. He also addressed the confusion on whether or not one should engage law enforcement or pay the ransom. And even though recently the focus has been on ransomware as an outside threat, let’s not forget insider threat because an insider can potentially do even more damage.
John P. Carlin: Economic Espionage & Weaponized Information (Part 2)
In part two of our series, John Carlin shared with us lessons on economic espionage and weaponized information.
As former Assistant Attorney General for the U.S. Department of Justice’s National Security Division, he described how nation state actors exfiltrated data from American companies, costing them hundreds of billions of dollars in losses and more than two million jobs.
He also reminded us how important it is for organizations to work with the government as he took us down memory lane with the Sony hack. He explained how destructive an attack can be, by using soft targets, such as email that do not require sophisticated techniques.
John P. Carlin: Lessons Learned from the DOJ (Part 1)
John P. Carlin, former Assistant Attorney General for the U.S. Department of Justice’s (DOJ) National Security Division, spent an afternoon sharing lessons learned from the DOJ.
And because the lessons have been so insightful, we’ll be rebroadcast his talk as podcasts.
In part one of our series, John weaves in lessons learned from Ardit Ferizi, Hacktivists/Wikileaks, Russia, and the Syrian Electronic Army. He reminds us that the current threat landscape is no doubt complicated, requiring blended defenses, as well as the significance of collaboration between businesses and law enforcement.
John Carlin currently chairs Morrison & Foerster’s global risk and crisis management team.
Christina Morillo, Enterprise Information Security Expert
If you want to be an infosec guru, there are no shortcuts to the top. And enterprise information security expert, Christina Morillo knows exactly what that means.
When she worked at the help desk, she explained technical jargon to non-technical users. As a system administrator, Christina organized and managed AD, met compliance regulations, and completed entitlement reviews. Also, as a security architect, she developed a comprehensive enterprise information security program. And if you need someone to successfully manage an organization’s risk, Christina can do that as well.
In our interview, Christina Morillo revealed the technical certificates that helped jumpstart her infosec career, described work highlights, and shared her efforts in bringing a more accurate representation of women of color in tech through stock images.
Scout Brody, PhD: Design Thinking and IoT
By now, we’ve all seen the wildly popular internet of things devices flourish in pop culture, holding much promise and potential for improving our lives. One aspect that we haven’t seen are IoT devices that not connected to the internet.
In our follow-up discussion, this was the vision Simply Secure’s executive director Scout Brody advocates, as current IoT devices don’t have a strong foundation in security.
She points out that we should consider why putting a full internet stack on a new IoT device will help users as well as the benefits of bringing design thinking when creating IoT devices.
Scout Brody, Ph.D. on Creating Security Systems Usable for All
With the spring just a few short weeks away, it’s a good time to clean the bedroom windows, dust off the ceiling fans, and discard old security notions that have been taking up valuable mind space.
What do you replace those security concepts with?
How about ones that say that security systems are not binary “on-off” concepts, but instead can be seen as a gentle gradient. And where user experiences developed by researchers create security products that actually, um, work. This new world is conceived by Scout Brody, executive director of Simply Secure, a nonprofit dedicated to leveraging user interface design to make security easier and more intuitive to use.
“UX design is a critical part of any system, including security systems that are only meant to be used by highly technical expert users,” according to Brody. “ So if you have a system that helps monitor network traffic, if it’s not usable by the people who are designed to use it or it’s designed for, then it’s not actually going to help them do their jobs.”
In the first part of my interview with Scout Brody, we cover why security systems aren’t binary, the value of user interface designers, and how to cross pollinate user personas with threat models.
Professor Angela Sasse on the Economics of Security
In part two of my interview with Angela Sasse, Professor of Human-Centred Technology, she shared an engagement she had with British Telecom(BT).
The accountants at BT said that users were resetting passwords at a rate that overwhelmed the helpdesk’s resources, making the cost untenable. The security team believed that the employees were the problem, meanwhile Sasse and her team thought otherwise. She likened the problem of requiring users to remember their passwords to memory exercises. And with Sasse’s help, they worked together to change the security policy that worked for both the company and the user.
We also covered the complexities of choosing the right form of authentication (i.e. passwords, 2FA or biometrics?), the pros and cons of user training, and the importance of listening to your users.
Professor Angela Sasse FREng on Human-Centered Security
Lately, we’ve been hearing more from security experts who are urging IT pros to stop scapegoating users as the primary reason for not achieving security nirvana. After covering this controversy on a recent episode of the Inside Out Security Show, I thought it was worth having an in-depth conversation with an expert.
So, I contacted Angela Sasse, Professor of Human-Centred Technology in the Department of Computer Science at University College London, UK. Over the past 15 years, she has been researching the human-centered aspects of security, privacy, identity and trust. In 2015, for her innovative work, she was awarded the Fellowship of the Royal Academy of Engineering(FREng) for being one of the best and brightest engineer and technologist in the UK.
In part one of my interview with Professor Angela Sasse, we cover the challenges that CISOs have in managing risk while finding a way to understand what’s being asked of the user. And more importantly, why improving the usability of security can positively impact an organization’s profits.
Medical Privacy Expert Adam Tanner
Adam Tanner is the author of “Our Bodies, Our Data”, which tells the story of a hidden dark market in drug prescription and other medical data. In recent years hackers have been able to steal health data on a massive scale — remember Anthem? In this second part of our interview, we explore the implications of hacked medical data. If hackers get into a data brokers’ drug databases and combine with previously stolen medical insurance records, will they rule the world?
Medical Privacy Expert Adam Tanner
Adam Tanner is the author of “Our Bodies, Our Data”, which tells the story of a hidden dark market in drug prescription and other medical data. Adam explains how the sale of “anonymized” data is a multi-billion dollar business not covered by HIPPA rules. In this first part of our interview, we learn from Adam how the medical data brokers got started and why it’s legal.
More Ann Cavoukian: GDPR and Access Control
We continue our discussion with Dr. Ann Cavoukian. She is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD).
In this segment, Cavoukian tells us that once you’ve involved your customers in the decision making process, “You won’t believe the buy-in you will get under those conditions because then you’ve established trust and that you’re serious about their privacy.”
We also made time to cover General Data Protection Regulation (GDPR) as well as three things organizations can do to demonstrate that they are serious about privacy.
Dr. Ann Cavoukian: Privacy by Design
I recently had the chance to speak with former Ontario Information and Privacy Commissioner Dr. Ann Cavoukian about big data and privacy. Dr. Cavoukian is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD).
What’s more, she came up with PbD language that made its way into the GDPR, which will go into effect in 2018. First developed in the 1990s, PbD addresses the growing privacy concerns brought upon by big data and IoT devices.
Many worry about PbD’s interference with innovation and businesses, but that’s not the case.
When working with government agencies and organizations, Dr. Cavoukian’s singular approach is that big data and privacy can operate together seamlessly. At the core, her message is this: you can simultaneously collect data and protect customer privacy.
Password Expert Per Thorsheim on Biometrics and Keystroke Dynamics
Per explains, “Keystroke dynamics, researchers have been looking at this for many, many years. It’s still an evolving piece of science. But it’s being used in real life scenarios with banks. I know at least there’s one online training company in the US that’s already using keystroke dynamics to verify if the correct person is doing the online exam. What they do is measure how you type on a keyboard. And they measure the time between every single keystroke, when you are writing in password or a given sentence. And they also look for how long you keep a button pressed and a few other parameters.”
What’s even more surprising is that it is possible to identify one’s gender using keystroke dynamics. Per says, “With 7, 8, 9 keystrokes, they would have a certainty in the area of 70% or more…and the more you type, if you go up to 10, 11, 12, 15 characters, they would have even more data to figure out if you were male or female.”
Those who don’t want to be profiled by their typing gait can try Per Thorshim’s and another infosec expert Paul Moore’s Keyboard Privacy extension.
Password expert Per Thorsheim On Life After Two Factor Authentication
Based in Norway, Per Thorsheim is an independent security adviser for organizations and government. He is also the founder of PasswordsCon.org, a conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference is a gathering security professionals & academic researchers worldwide to better understand and improve security worldwide.
In part one of our conversation, Per explains – despite the risks – why we continue to use passwords, the difference between 2-factor authentication and 2-step verification, as well as the pros and cons of using OAuth.
Naturally the issue of privacy comes up when we discuss connected accounts with OAuth. So we also made time to cover Privacy by Design as well as the upcoming EU General Data Protection Regulation(GDPR).
Security Expert and “Hacked Again” Author Scott Schober”
We continue our discussion with Scott. In this segment, he talks about the importance of layers of security to reduce the risks of an attack. Scott also points out that we should be careful about revealing personal information online. It’s a lesson he learned directly from legendary hacker Kevin Mitnick!
Security Expert and “Hacked Again” Author Scott Schober”
Scott Schober wears many hats. He’s an inventor, software engineer, and runs his own wireless security company. He’s also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN.
In the first part of the interview, Scott tells us about some of his adventures in data security. He’s been a victim of fraudulent bank transfers and credit card transaction. He’s also aroused the wrath of cyber gangs and his company’s site was a DDoS target. There are some great security tips here for both small businesses and consumers.
More Sheila FitzPatrick: Data Privacy and the Law
In the next part of our discussion, data privacy attorney Sheila FitzPatrick get into the weeds and talks to us about her work in setting up Binding Corporate Rules (BCR) for multinational companies. These are actually the toughest rules of the road for data privacy and security.
What are BCRs?
They allow companies to internally transfer EU personal data to any of their locations in the world. The BCR agreement has to get approval from a lead national data protection authority (DPA) in the EU. FitzPatrick calls them a gold standard in compliance—they’re tough, comprehensive rules with a clear complaint process for data subjects.
Another wonky area of EU compliance law she has worked on is agreements for external transfer data between companies and third-party data processors. Note: it gets even trickier when dealing with cloud providers.
This is a fascinating discussion from a working data privacy lawyer.
And it’s great background for IT managers who need to keep up with the lawyerly jargon while working with privacy and legal officers in their company!
Sheila FitzPatrick and GDPR
We had a unique opportunity in talking with data privacy attorney Sheila FitzPatrick. She lives and breathes data security and is a recognized expert on EU and other international data protection laws. FitzPatrick has direct experience in working with and representing companies in front of EU data protection authorities (DPAs) and sits on various governmental data privacy advisory boards.
IoT Pen Tester Ken Munro: Probing Wireless Networks
We have more Ken Munro in this second part of our podcast. In this segment, Ken tells us how he probes wireless networks for weaknesses and some of the tools he uses.
One takeaway for me is that the PSKs or passwords for WiFi networks should be quite complex, probably at least 12 characters. The hackers can crack hashes of low-entropy WiFi keys, which they can scoop up with wireless scanners.
Ken also some thoughts on why consumer IoT devices will continue to be hackable. Keep in mind that his comments on security and better authentication carry over quite nicely to the enterprise world.
IoT Pen Tester Ken Munro: Security Holes
If you want to understand the ways of a pen tester, Ken Munro is a good person to listen to. An info security veteran for over 15 years and founder of UK-based Pen Test Partners, his work in hacking into consumer devices — particularly coffee makers — has earned lots of respect from vendors. He’s also been featured on the BBC News.
You quickly learn from Ken that pen testers, besides having amazing technical skills, are at heart excellent researchers.
They thoroughly read the device documentation and examine firmware and coding like a good QA tester. You begin to wonder why tech companies, particularly the ones making IoT gadgets, don’t run their devices past him first!
There is a reason.
According to Ken, when you’re small company under pressure to get product out, especially IoT things, you end up sacrificing security. It’s just the current economics of startups. This approach may not have been a problem in the past, but in the age of hacker ecosystems, and public tools such as wigle.net, you’re asking for trouble.
Chief Data Officer Richard Wendell: Skills to Cultivate
In this second podcast, Mr. Wendell continues where he left off last time.
He explains the skills you’ll need in order to be an effective Chief Data Officer and we learn more about MIT’s International Society of Chief Data Officers.
Richard Wendell: Information as an Asset
The emergence of Chief Data Officers(CDO) demonstrates the growing recognition of information as an asset. In fact, Gartner says that 90% of large organizations will have a CDO by 2019.
To understand the CDO role more deeply, I turned to Richard Wendell.
I met Mr. Wendell last year at the Chief Data Officer Summit and thought his background and expertise would help us understand the critical role a CDO plays in managing an organization’s data.
Attorney and Data Scientist Bennett Borden: Find Insider Threats
In this second podcast, Bennett continues where he left off last time. Borden describes his work on developing algorithms to find insider threats based on analyzing content and metadata.
Attorney and Data Scientist Bennett Borden: Data Analysis Techniques
Once we heard Bennett Borden, a partner at the Washington law firm of DrinkerBiddle, speak at the CDO Summit about data science, privacy, and metadata, we knew we had to reengage him to continue the conversation.
His bio is quite interesting: in addition to being a litigator, he’s also a data scientist. He’s a sought after speaker on legal tech issues. Bennett has written law journal articles about the application of machine learning and document analysis to ediscovery and other legal transactions.
In this first part in a series of podcasts, Bennett discusses the discovery process and how data analysis techniques came to be used by the legal world. His unique insights on the value of the file system as a knowledge asset as well as his perspective as an attorney made for a really interesting discussion.
Statistician Kaiser Fung: Accuracy of Algorithms
In part oneof our interview with Kaiser, he taught us the importance of looking at the process behind a numerical finding.
We continue the conversation by discussing the accuracy of statistics and algorithms. With examples such as shoe recommendations and movie ratings, you’ll learn where algorithms fall short.
Statistician Kaiser Fung: Investigate The Process Behind A Numerical Finding
In the business world, if we’re looking for actionable insights, many think it’s found using an algorithm.
However, statistician Kaiser Fung disagrees. With degrees in engineering, statistics, and an MBA from Harvard, Fung believes that both algorithms and humans are needed, as the sum is greater than its individual parts.
Moreover, the worldview he suggests one should cultivate is numbersense. How? When presented with a numerical finding, go the extra mile and investigate the methodology, biases, and sources.