Protect Your Personal Privacy Without Leaving a Digital Footprint

 

Dominic Vogel: Hello, everyone. Welcome to another fantastic edition of the Cyber Security Matters podcast. I'm your host, Dominic Vogel, and joining me as always is Mr. Jolly himself and my co-host, Christian Redshaw. Christian, how are you doing today?

 

Christian Redshaw: I'm jolly, the coffee starting to kick in. How are you, sir?

 

Dominic Vogel: I too am jolly in the jolliest of ways and I'm very much looking forward to a fantastic show today.

 

Christian Redshaw: Who've we got?

 

Dominic Vogel: Well, yeah, good question. Our guest today is Julie Talbot-Hubbard. She's based in Atlanta, Georgia, and she is the Senior VP of Cyber Protection and Identity for Optiv. And Optiv is one of our sponsors of the Cyber Security Matters podcast, as is Telus for this particular episode. And we're really looking forward to having Julie on board. I had a great pre-chat with her a few weeks ago, but I think all our listeners and viewers are going to really enjoy hearing from Julie. So we will take a momentary pause, we'll bring Julie on, and we'll go from there.

 

Julie, thank you so much for joining us today on the Cyber Security Matters podcast. How are you doing?

 

Julie Talbot-Hubbard: I'm doing great. How are you doing?

 

Dominic Vogel: We're doing pretty well. It's actually fantastic fall weather here in Vancouver, which is highly unusual. Normally it's raining cats and dogs, but we have really great sunshine, so we'll take it.

 

Julie Talbot-Hubbard: Oh, we have that in Atlanta. Usually it's probably 90 degrees still at this point, but it's 65 and sunny.

 

Christian Redshaw: Nice.

 

Dominic Vogel: That's good. A little more tolerable temperature-wise. But I thought we'd maybe just start off our conversation, if you could share of a bit of your story, your career journey with our listeners and viewers. Tell us a little bit about your journey to date and what your role is at Optiv.

 

Julie Talbot-Hubbard: So I've been in security, data management or infrastructure, IT for a little over 20 years, really in roles progressing in leadership across financial services, healthcare, large software organizations, and even a public university as well. But really always helping organizations understand their assets in their environment, what's most important, and how to protect that.

 

Dominic Vogel: Amazing, amazing.

 

Christian Redshaw: Julie, I have a two-part question for you. So in terms of the clients that you work with, first part is who are your typical clients? In other words, what kind of organizations, what industries are they in? And then when it comes to when you're first engaging with these clients, what is your typical first steps with them? What is your discovery process and what areas are you looking at with them?

 

Julie Talbot-Hubbard: So from clients on who Optiv really works with and really helps protect, I would say there's not one specific industry. We have expertise across all different industries and we look at even the size of organizations. How we break up just our support, you could say, and our capabilities, we look at anywhere from a smaller organization that could be more of a small public university, all the way through a public utility organization, ranging all way up to the largest Fortune 20 global accounts. And so we do provide services and solutions to all those different organizations. When we first really go in and you're looking at working with a client, with my background being in financial services, healthcare predominantly, as I was a CISO in my career, I always really wanted to understand what are my peers doing in those accounts? And also I always tied my security strategy more to that business as well.

 

So what we try to do is we really want to understand the industry they're in, what are their top threats that they're fighting against? What are some of the compliance changes in their environment? Because again, we're all going through a lot of complex things right now with shifts to the cloud. Also the regulations, privacy, all those are rapidly changing. So want to get a view of the client from that perspective and then really looking at their business and where that business is going. It's something where I think the last two, three years, I would say, every business is underpinned by technology now, and really understanding where the business is today, but what's that business strategy going forward?

 

So if it's in healthcare, what are they really trying to evolve to? What new technologies are we going to be bringing in? So we have that understanding, so when we're working with that client, we're not just helping them today, but we're really helping them build that strategy for the future. Because we all know how quickly things are evolving and changing and I think if you don't have an agile strategy and one that can flex, you're going to always be behind.

 

Christian Redshaw: Very well said. Every business is underpinned by technology and then cybersecurity obviously supports and protects that technology and the information assets there. How important from your perspective, Julie, is digital trust, as well as from the perspective of the clients that you serve?

 

Julie Talbot-Hubbard: From a digital trust perspective, I look at it as if you look at just what's changed in the last several years, everything's really digitized today. So we've really digitized every aspect of our lives, from how we shop, how we pay for things. Even going to the doctor now, just your medical records, how you pay your bills there, the records that you share. All the way to even going out to eat now, when you think about with COVID, we started, we didn't have the menus to touch anymore, we have the scan, the QR code. And so you think about that digital revolution that we've all experienced the past year and a half. That's all really underpinned by technology again and really that interconnectedness. And so when I think too about organization security strategies, if you think years back, I don't want to say many years, but many of them were more built on the perimeter, and how are we securing all the data, all the information inside that? Now with the connected systems, IOT devices, your phone, everything, that digital trust is becoming much more paramount.

 

And I look at identity, and that authentication is really center and core to that really digital trust organizations are creating. Another key piece is really around the data as well. And I think that organizations are having to shift their security strategies to really focus on data, identification, authentication, all of those components to really secure that. Because as a consumer there's options and choices now that people get to make. And I think trust is becoming much more critical for buyers, consumers, but also for even workforce and how our employees are now wanting to ensure that the data they're entrusting to us, we're keeping that secure as well, and meeting privacy obligations.

 

Christian Redshaw: Very well said, Julie. So one more question for me before I pass it over to you, Dominic. So we're protecting your systems and information and reputation for your clients. The assumption is that our viewers and listeners know what we're protecting against. My question for you, Julie, is who is the enemy? Who are the external threats, these cyber criminals? Who are they attacking, how are they attacking them, and what are they after?

 

Julie Talbot-Hubbard: I don't want to say there's one group because I think just attacks are growing in general, just to think about the attack surface, how it's grown. I would still say nation states is still where we see the largest kind of where the attacks were coming from. But if you think about what we've been talking about today, really around that digital footprint and you think about the expansion of technology, so if you think about an organization that had an on-prem data center five years ago, they had employees that worked in the office as well. And you think about that expansion in the last two years, now you've got hybrid environments, you've got just large data growth. Data's usually created by people, habits, I mean, just all of that data explosion that we're seeing. And then you think about working remotely and the additional devices now being introduced into that network.

 

So that attack surface has grown for these bad actors, whether it be nation states or not. I still believe, and we still see today that there's still a lot of, I would just say low-hanging fruit, where really attackers can get in. And they're still leveraging that. Why would you do something, I guess, more complicated if you didn't need to? And so we're still seeing phishing attacks still on the rise, still hackers getting in there as kind of that initial access, and then really doing that lateral movement across organizations. Ransomware is another large... We've seen an increase in that. And I think organizations aren't as prepared to really react to that from a cyber resilience standpoint, so they're paying these, and I think that's just going to continue to increase as well.

 

Dominic Vogel: And Julie, really appreciate this wisdom you shared with us so far. And I want to go back to a point that you mentioned around identity-centric and data-centric approaches to security strategy and how that's evolved from the traditional sort of perimeter-based approach. Just to dive into the data-centric approach, in your views, what are necessary prerequisites for organizations to even be able to take a data-centric approach to security? Because I mean, there's so many organizations, even if you ask them the question, "What is your most critical data?" Many of them even struggle to answer that question. So what would be some tangible areas that they can start in moving towards a more data-centric approach to security?

 

Julie Talbot-Hubbard: So I've seen organizations kind of go about it a few different ways. One, I would say having clarity around your data. So you mentioned many organizations don't maybe understand their most critical data assets or critical IP. So I would recommend organizations start there, just identifying what's their most critical IP. What's interesting about that too is that it could be depending on, again, go back to your industry. So if you're a software development company, if you're a financial institution, if you're a healthcare, there's going to be certain types of data that's most important and they're going to be within your environment.

 

So I think first understanding what that is in the organization, and usually that involves talking to the business, not just IT, and really looking across the organization. That can be done through technology, where you can automate and really scan across your environment, whether it be unstructured or structured data. Or it could be more that you're doing interviews, inquiry, and having those discussions. But I would say that's the first step. I like to go back to the typical data governance piece too, where you're identifying some data owners, data policies around that, and so there's an understanding on how you must protect that data.

 

And that goes from who's accessing that data and what access should be allowed all the way down to more of the encryption or however you're protecting that across the environment. And I think if you're more data aware, and you have that context, I think you can manage your security in a manageable way. And I actually don't see how organizations are going to be able to manage their risks successfully without having some of that context as their environments grow across just hybrid cloud environments.

 

Dominic Vogel: And Julie, yeah, this is such an engaging conversation. I just have one more final question before we let you on with the rest of your day. And you mentioned earlier around, I guess, compliance, regulations and how that's rapidly changing. What do you see as coming down the pipeline? Is there anything, in particular in the US, anything that could be game changing policy or compliance, regulatory requirements that are going to have greater teeth than maybe compliance or regulations before them?

 

Julie Talbot-Hubbard: When we think about just privacy in general and how companies are respecting and really protecting individuals' data, today, depending on what state you're in or even maybe what country you're in, those regulations are different. And how companies are using that data, I really don't think many people understand when they're signing up, accepting cookies, giving consent to how that data is used, or even some of the browsers that you use on their internet. And if you think about the ads that you're getting if you're shopping online or anything else, that's data that's being collected. And so I think that will be a game changer that's really needed as we move further into that digital world.

 

Dominic Vogel: Amazing. Julie, thank you so much for joining us today on the Cyber Security Matters podcast. It's been an incredibly enlightening conversation I know for our viewers and listeners. And thank you again so much for taking time out of your day to chat with both of us. We really appreciate it.

 

Julie Talbot-Hubbard: Well, I've had a great time just engaging with both of you and really enjoyed the conversation. So thank you for having me.

 

Christian Redshaw: Thank you, Julie.

 

Dominic Vogel: Amazing. Christian and I will be right back to wrap up today's episode.

 

Voiceover: Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy, and operate complete cybersecurity programs, from strategy and managed security services to risk, integration and technology solutions. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit optiv.com.

 

Dominic Vogel: This week's episode of Cyber Security Matters is brought to you by Telus Business. Is your board of directors worried about how ransomware might impact your business? Unsure how to share accessible relevant information about ransomware in Canada with non-technical leaders? If so, Telus can help. Based on data from over 450 Canadian organizations, the Telus Canadian ransomware study shares easily digestible insights about ransomware and the experience of organizations like yours. It covers everything from the evolution of ransomware attacks, like the introduction of multiple extortion, to the outcomes of ransom payments. It also covers the tools you can use to effectively protect your business. Visit telus.com/ransomwarestudy to download your copy and share it with anyone looking to better understand ransomware and its impact in Canada. Telus Business, cybersecurity that works for you.

 

Well, that was a brilliant conversation. I thought Julie laid out some really interesting material and thought and wisdom there. You can tell she is a very well-experienced chief information security officer. Lot of years of experience behind her. I really like what she was laying out there in terms of sort of that modern data-centric, identity-centric approach to security. Organizations big and small need to move beyond that traditional approach to security.

 

Christian Redshaw: Yeah, I agree. The context there of knowing what's your most critical data and getting a handle on that, as well as knowing where your organization is going. I think those contextual pieces are really important factoring into the beginning of a cybersecurity discovery process.

 

Dominic Vogel: Absolutely. And we want to thank Julie again for coming onboard and sharing her insights and wisdom with us today. And we want to extend a special thank you to our loyal listeners and viewers who join us each and every week. If you did happen to miss an episode, do check out the Cyber Security Matters YouTube page or check out previous episodes on your favorite podcasting platform. As well as we want to say a special thank you to the Cyber Security Matters sponsors for today's episode, that is Optiv Security and Telus. Again, thank you again as always for joining us each and every week. We wish you well. Be well, be safe and we'll see you again next time on the Cyber Security Matters podcast.

 

Christian Redshaw: See you next week.