Data privacy careers: GDPR, CCPA and the right to be forgotten
Cyberwork, is celebrating, its next major milestone. As of july 2020, cyberwork, has had over a quarter of a million, listeners. We're so grateful to all of you that have watched the videos on our youtube page commented, on live release feeds left ratings and reviews on your favorite podcast, platform. Redeem bonus offers or just listen in the comfort of your own home thank you to all of you, because our listenership, is growing so quickly and because cyberwork, has big plans, for the second half of 2020, and beyond. We want to make sure that we're giving you what you want to hear, that's right we want to hear specifically. From you. So please go to. Www.infosecinstitute.com. Survey that's www. And the numeral, 2. Www.infosec. Institute. Survey the survey is just a few questions and it won't take you that long, but it will really help us to know where you are in your cyber security, career and what topics, and types of information, you enjoy, hearing on this podcast. Again that's. Www. Survey. Please respond today and you could be entered to win a 100. Amazon, gift card that's. Www.infosecinstitute.com. Survey. Thanks once again for listening and now, on with the show. Welcome to this week's episode, of the cyberwork, with infosec, podcast. Each week i sit down with a different, industry thought leader and we discussed the latest cyber security trends, how those trends are affecting the work of infosec, professionals. While offering tips for those trying to break in or move up the ladder in the cyber security industry. Our guest today gabe gums, is the chief innovation, officer, at spiron. He came to the program with some very intriguing discussion, topics, one particularly, slanted to a common theme on the show gabe wanted to tell us about. The skills gap that wasn't. As well as some updates on data privacy, and the wake of gdpr. And ccpa. And some ways you can make data privacy, a profession, to live with, gabe gums has a deep rooted passion for technology. Information, security, and problem solving. As chief innovation, officer at spiron. A leader in rapid identification. And protection, of sensitive, data, he's channeling that passion to make the digital world a safer place, by spearheading, spyrion's. Vision for data privacy, in the next decade and beyond, he's leading the way, to a more secure, and private future for all, gabe thank you for joining us today. Thanks for having me chris a pleasure, okay i just realized that i i misspelled, uh is it spirion, or spyron. Spirion. Spirion, my apologies. Check out spirion. Uh okay so uh before we talk about data privacy, we always like to start out by finding a little bit about our guests so how did you first get interested in this field, have have computers in tech always been part of your background, or did you move into it later in your career. No it's always been part of my background, so uh early on in kind of my. Well. Pre. Security, days i was uh i was dabbling in in many different, types of of technology. So. Um. I. Got. Involved, with my local. Ny, uh, lug group, many moons ago so. A linux user group meetup. Um. And uh you know things of that nature and, it was also kind of around the same time uh the 2600. Scene was kind of growing up a bit more in the new york city area and so i've always kind of been, involved.
In Interested, and kind of around it to some degree. And the early part of my career actually was in networking. And uh. And from there i, before. But before i. Taken on my first. Infosec, position. Uh, i had already been in technology, as well too so it's been a it's been a long love affair with technology, and security. Okay so was there a particular, sort of defining, event or something where, you were doing networking, and you're like oh i like i like security better you know this is more interesting to me was there some particular thing where you're like oh this is what i want to do, yeah well i was kind of experimenting, with things kind of in my own personal, time from, perspective, and then you know just kind of testing things out and breaking, things and building things etc. And so that, that interest was there, uh it wasn't until, an actual opportunity, presented itself in the workplace. Um where i was at the time, as as a network engineer. That allowed me to move into it in a bit more of a professional, capacity. Okay. Um so tell me about your job at speargun, what exactly, does the average workday of a chief innovation, officer look like. Well. It. Means you spend a lot of time in problem space and talking to other people about their problems, luckily it's not the lay on the couch type of problems although for, for many of them it can be. Yeah one leads to the other, indeed, uh but i spent a lot of time, trying to understand. What, the challenges are that organizations. Face around data privacy and data security. And how, what, technology. Sphere and builds. We can leverage, to, alleviate, those problems and eliminate them in some cases. So you know a large part of my day spent around building the overall product strategy for the larger portfolio. Okay, what are we building why are we building it who we building it for. Uh, the things of that nature so yeah a lot of us spent talking to actual practitioners, on the ground again with with their problem. Um and then with my own internal, teams we've got uh. We've got a product management team and an engineering, team and a research and development team, um, and, you know we, we take all these ideas that we come up we do some market research as well we test things we prototype. We prototype, some ideas, and we get into the hands of customers, and, see how it actually solves problems in the real world. And uh and then we turn those things into product.
Okay, Um do you, do you have sort of uh, direct reports do you do you um, sort of actively, manage. You know your various teams. Indeed, yeah so there's an entire innovation, team that uh that actively managed and and so there's kind of two arms that if you would there is more of the, the academic, research, side of it, and then there is the very hands-on, technical side of the research as well. Okay and um, have you had any particular. Like you know we're trying to get a sense of like how, security, managers, are sort of taking care of their team at a point where everything is so. Sort of distant, and work from home, and there's not a lot of sort of face-to-face, collaboration, with covet 19 and so forth um, have your sort of management. Uh, strategies, have to had to change it all now that everyone's, sort of, you know often they're in their own individual, um, you know kind of silence. It's a little from columbine, a little from column b so i'm an old grizzly, work from home veteran. Absolutely, pretty, prior to taking. My current position i actually worked from home for the, last 15 or so years. So for me personally. Working remotely and managing remote teams. Did not, pose the same type of challenge. Um, in. You know my current role at the head of the innovation, strategy, table. We had, we had a very. Office-centric. Environment. Um pre-kobe. And, a lot of that was just around you know rapidly. Um coming up with ideas testing them and so forth and, a lot of those things happened. Very organically, in person a lot of whiteboarding, and things of that nature. I'd say that's really the only thing that was heavily impacted, was, maybe the whiteboarding. Of it, that, exchange of ideas. Still happens. It really meant that we had to, we had to leverage more technology, platforms, to be able to do that, um so you know where where we would in the past get up and, and you know maybe go talk to someone really quickly you know you know we use uh, we use some chat technologies, to kind of do the same so. Um. You know for, again from for myself and for for those within, you know my direct uh. Orbit. Not a massive, change not a massive change at all yeah okay. Uh so you know a lot of our listeners the main slant of cyber, cyber work is that you know our listeners are working out what type of careers they want to enter so i wanted to, sort of atomize. You know some of the career steps that you took to get to the position you're at now what types of positions, experiences. Skills learning, did you need to do to become, a chief innovation, officer. What were some of the sort of past you know sign posts. Yeah, well. It certainly was a securities, route, that is to say i didn't wake up one morning. Any number of years ago. And say that's where i want to be specific. Um, although you know it was it was in the general arena if you would, but in terms of of getting to that place a, large part of my, uh. Three quarters of my, my career path, was very much on the practitioner, side of. The house so, that is to say i was actively. Um. Putting together, security, programs, and then coming together security solutions to solve. Problems directly for the business so, in this capacity. It's it's. I take a lot of the skills learned from there, and kind of blow it out to do it on a larger scale for, for you know numerous organizations, hundreds of them, um thousands. Really, you know, at that scale. And so some of the things that really helped me along the way was, a, very. A very early understanding, of of technology. And its interconnection. Point so, i don't know that everyone needs to necessarily, you know know the the. Different ways of the osi, model, but it's helpful. Yeah i don't know that everyone needs to to know how to program, but i certainly advocate, for it, um and so you know picking up those types of, deep technology, skill sets along the way. Along, with, um. More of just the managerial, skill sets you know by the time you, talk about about, my existing, position. Um is very helpful but. You know i i still spend a lot of time. Learning, a lot of time learning, and i think, not so much. What. What the steps were to get here. So much as it is the steps to to be good at what one does, when they're there right and that does require. Constant, learning, so you know. Programming, for example so, i've been i've been getting my hands dirty and learning golang, for example. Um, i'm actually really enjoying, that, uh. Trying to think uh yeah i've spent a lot of time working with, we've got a, number of data scientists, uh on the team and and so there's some new concepts, and theories there that i've spent the last two years really getting.
Very Deep into and understanding. How. How they operate, you know how adversarial. Networks, are are created, and those different types of, ml models are built etc. Uh. Yeah i think the the easy, the easy that the short answer is. Regardless, of, where you want to end up i think it has to be a. A passion. So much so that you have to enjoy. Getting really deep into the study of it as opposed to just the practice, of it but that does need to be a healthy healthy balance of both, just studying the practice yeah, okay can you talk can you talk a little bit about sort of, ongoing, learning and what you know you say you're working on some new. Uh you know languages, and so forth but like what, uh, sort of. Tell me about your your sort of like. You're learning. Preferred, methods, do you, i mean, what do you do do you use books do you. Do labs online, do you like. You know take active courses of study, do you just sort of like. Come through things after dinner like you know what how do you sort of keep your your skill set fresh. The answer that is yes, against all of those okay. Sky, everything. Yeah so i'm i'm i'm i do still enjoy some some dead trees once in a while and so yeah, for example i was on vacation, and i took my. Rather, thick, i don't know it's 400. Or so page uh, you know golang. Book with me okay, i also, uh i do, i do leverage, things like, coursera, and, other. Online learning platforms, and and i probably spend a few hours. In those every week, um, i do a lot of just reading of, academic, papers as well too. Uh. A lot of interacting. With, others. In and around, my field too it's not necessarily, those just in the the product strategy and innovation out of the house but those directly, in the, in the in the depths of of, security, and privacy so i actually spent a lot of time in some of the, the, community, slack channels. Okay. Yeah, and so you know i spent a lot of time like trusted public set channel and things of that nature. Um, and uh, and, and for me those are some of the more important places to to really, learn from, because there are other human beings discussing. Uh the challenges they have in the solutions, that they're they're, exploring, for these problems. Okay um. So. Do you have any um certifications. In your background, do you have any sort of thoughts on. On on getting certs do you have any particular ones that you sort of require, from your you know your team and so forth. So. Required. Not. Necessarily. It it kind of depends, i take uh. My, approach, to, building, teams, out is usually kind of balancing, out the the overall, skill sets across the team not necessarily. Everyone, must have a cissp. Kind of. That said though, interestingly. The entire team this this uh this quarter is challenged, to. To uh. Pick a sort of of their choice and and explore, actually getting it so for myself. Again i like a lot of hands-on. Type of stuff so the last active insert i had was the gwa, pte. Which is. It's the giac's. Um. Web application, penetration, testing uh certification. So yeah it's a very, hands-on, certification. That test one skill set in, application, security. Um. I am, currently. Uh. Seeking, so i'm studying for uh a couple of the iapp, certifications. Those are more privacy, oriented. And the team are working towards their ceas, the certified ethical, uh hacker certification. So, i would, i'd steer folks more towards kind of what their needs, are from a professional. Standpoint if you're looking to enter into security, then, you know kind of. Minimum bar to entry a lot of folks are going to be looking for a cisp, or something similar, right, that's just kind of your your barrier to entry for a lot of folks, okay um but from there i i think uh, one should try.
To. Search that that act actually can. Demonstrate, your, your, mastery, of, of the topic. I think is good because there are, i'm not going to call any out but i think there are some search that are. You know. Study the book. A few weeks maybe a couple of months and you've got yourself a cert kind of thing right versus. Versus being able to demonstrate ah i understand, this topic well enough that i can apply, it, right, right right. Okay yeah that's i mean that's good and then you know it's it's important to not think of certs as as trading cards they're you know things to collect but as things that, you know tools that can solve problems, and so forth so. Um, yeah yeah i did a quick quick, anecdotal, story so i'm sitting in someone's office this is, easily seven or eight years ago okay. There's a wall of certs and when i say a wall of certs, without exaggeration, there's probably 30 of them like easy. And i was. All framed and everything all framed and everything i was both fascinated, and impressed, honestly. And depressed, and and one of them caught my eye and so i asked the question. How'd you get that sir. And the response, was. With a very. Deadpan, look, on their face, well i studied for it. It's like oh well of course. Sure sure, right, yeah yeah. It was at that moment, was like. So. So that's. That's the wall like it's i, i picked up the book yeah i grabbed the material, i got. Proof of concept, i studied i took the test i. I now have the skill of taking that test, right. And i realize i should probably not inquire any further about the other. Two dozen plus certs. Yeah, and i guess i i mostly asked too because you know we get a lot of different types of guests on the show and and some will say. Yeah certs are really important or i recommend this one or this one and other people will say. Certs are completely unimportant, just as long as you can you know do the task you know we don't really care, what your resume, looks like and so forth so it's always interesting to hear sort of, you know where different people stand, on on the use or application, or necessity, of them. I'm somewhere down the middle on that one, it's a big battle, it depends. Sure, yeah yeah yeah again it it. It's a tool and if you need the tool in your toolbox you better have it there it is. Uh so in the talks before the program we came up with a nice combo of topics to discuss, today, so uh we're gonna move around a little bit throughout the show it's not just one thing but um, you know we've had a couple guests on here talk about. Gdpr. And ccpa. And. Topic certainly bears repeating. So the area you specifically, wanted to discuss, was the right to be forgotten. In which organizations, that collect data as part of their regular transactions. With clients or customers must have a strong system in place to safely remove the data, you know after it served its purpose so what are your thoughts on the difficulty. Or. You know newsworthiness, of this provision. Well i think you touched on it in the last.
The Last bit of that sentence. After it served its purpose. So, you know the word purpose, is, explicitly. Defined. In gdpr. And, it is defined, as, the reason, which you. You collected, that information in the first place and you're only allowed to process, that information, based on the purpose. That you expressed, to the data subject when you got it which basically says so. So chris when you when you went to, you know www.amazon. And you provided me with your home address and your phone number and your credit card et cetera. You provided that to me for the purpose of becoming a customer so i can fulfill your orders. And so i'm only allowed to process the information, in that way there are some provisions, also once you sign up for the platform. That also say explicitly, like hey we're going to use this information. For example to understand how people like chris. Uh. How they how they, shop what their purchasing habits are right, and dislikes, are, so that's another purpose. Now the second you stop being a customer. Of amazon. Um, you know under. These provisions. You obsessively, have the right to say i no longer want you using, you know that information, that you collected on me for anything outside of those purposes. Right but amazon of course still wants to be able to, to market to people, like chris. And so that's one of the many challenges, right of of the right to be forgotten. From the business aspect, it's. That data is extremely. Valuable that data is necessary. For me to process, for my business to exist and to grow. I don't, exist, to process that data i process that data to, to exist and to grow, so so how do i forget about you while, still. Being able to learn about people like you, so that's one challenge. And there are some there are some answers to that challenge. There's some yeah there are some ways that that it can be accomplished. Um you know differential, privacy, methods come to mind, so the first is you sudanize. Or anonymize, the data sets. So that i can extract knowledge about the person without. Without retaining, any, direct, identifiable. And or indirectly, identifiable. Person you're scrubbing you're scrubbing my name and identifiers. You're just sort of keeping, like the demographic, data of what i bought. Which, yes. But that too again still has its own challenges there are different, privacy, attacks against data sets where i can re-identify. Individuals, right, if the data set is uh, small enough or limited enough or not diverse, enough, it becomes easy for me to know. For example, if uh, you know there, you live let's say within a metropolitan, area and you live in a condominium, building there's 100 people, um. And uh, and i retain, say uh information, about um, your, you know your uh your sex male or female well that already eliminates. Some percentage, of the individuals, within that building i start narrowing down who it can be. You know say you're your age. Not just the arrangement. Explicitly, your age, i've narrowed it down maybe even further at that point, um, and then as as you start looking at the individual, identifiers. Of any subject. It is very difficult. To uh. To. To be able to to apply. The appropriate, cures to data while also still forgetting, about that individual. It's not wholly impossible, by any stretch of the imagination.
Um, But it is it is challenging. Then there's also the, the uh. The kind of paradox, of. Well how do i ensure, that. Information, anywhere else within the organization, was a all found and remediated. So i found every single instance of all of chris's information. And i have scrubbed all of it and or deleted, all of it, and, if i didn't, how do i know when it resurfaces. When i finally do find it if i was supposed to have forgotten, about you, right that second half of that is is really the bigger problem, because if i don't retain, some information about you then i wouldn't know that it was still around to for me to have violated, it so it means i have to first find all of it right. There there are there are no shortage of challenges. With the right to be forgotten. Okay now our. Uh you know, you you've laid out the problem pretty well here do you have, um. Sort of a, similarly, laid out like solution, that's not being implemented, right now that you think, you know, would take care of this problem. I. Don't know about not being implemented, i think it's more about how it's being implemented, right. It's the larger. Implementation. Throughout the entire data life cycle. You know so again a lot of what i try to do is, solve, for. The. The entirety, of the problem and put into place, not just a one point of a solution, or one point of an answer but but but look at it throughout that entire life's, life cycle so from the time that information, is first captured. Am i, gathering enough information to know what type of information, it was and what purpose it was that i was capturing. And then as that information, is, used shared process, analyzed. Do i also now have the appropriate controls, in place to respect. Both consent, and compliance, and security. While it's being used and then, finally once i get to archival, and destruction. Again do i have the right. Policies, procedures, and controls, in place to do those things as well, so. The well laid out answer is along. You have to look at each, step within the life cycle of data from the time it's created. Used, shared, archived, destroyed, and applied the appropriate controls. Throughout, each of those points of the life cycle, so the answer is i see today a lot of controls, being applied. To, maybe one point in that life cycle, right so some folks may take some additional. Measures when they first. Gather that data when they first start processing it, and then. Maybe not take the same level of care. Um, in the middle stages as it's being, used and shared. Which then starts doing things like violating, consent. On the gdpr, and other things of that nature. If it gets gdpr, too like you know we've had hip in place since uh 95. Right that sounds right um yeah and so hipaa has had a similar notion for decades, too right, you, we share a lot of health information, for the purpose, of of, understanding. Um you know, how how to treat, different, ailments, and and things of that nature i mean, in this covenant environment we're doing a whole lot of health sharing, right now as well, right for research purposes. Yeah yeah yeah fast and sort of desperate, sharing. Fast and desperate sharing so are those right measures in place right right so. A lot of those things aren't even new concepts. Much less uh, new. New calls, for, for repeating, that data in fact hipaa had explicitly, defined. The proper way, to de-identify. Data. Many moons ago and the level by which, their definition, of the identifying, the data does differ, um than say ferpa for example, right okay um, so. The answer to your question is. The well laid out way to implement it today, is to ensure that you're looking at data throughout every stage of the life cycle and applying the appropriate, control. Okay so i mean i guess, what i'm also trying to get to is. Based on. Laws like gdpr. And ccpa. Uh is is the sort of language. And the, the law, sufficient, to sort of. Get us to that and and is the reason that it's not being done. More a matter of people. Either intentionally or unintentionally, sort of uh skirting the, you know the regulations. Such as they are i guess i'm trying to get i'm trying to get a sense of what the, you know what the point of friction is here. Well there are several points of friction, and, you asked uh you know what not the letter of the law does well, right, ccpa, certainly does not even explicitly. State. What a good mechanism, for uh or what the minimum bar to entry for de-identification. Anonymization. Um you know data, scrubbing shirt etc is it doesn't explicitly, state.
This Is what you need to do to make sure that, subject data is well de-identified. The same way say hipaa does. Gdpr, does go a little bit further and do so however gdpr, equally, takes a very wide approach to what is subject data. And, it's, defined, as, directly, or indirectly, identifiable. So. The emi number, in your sim card in your phone. Is something that's indirectly, identifiable. To chris, and so even something, like that, uh you have to figure out how to make sure that, if that's data that you collect and share et cetera. Um how that is being uh, properly, handled. Um, and then some other friction points is really just a. Big knowledge gap we've moved fast and hard on ccpa, for example. Yeah that's a fast rollout. Very fast so folks still try to understand. The intricacies. The nuances. And then of course. Very few of the provisions have been, challenged. Um in a legal setting so you know there is no precedent for for a lot of those things so. Um. Yeah we've got a ways to go before it all becomes, very prescriptive. For anyone to just wake up one morning go ah, i know how to do this, right okay so we're all still learning as we go here at this point, there's certainly a lot of learning still left to be done although there's a lot we do know, and we should certainly take all of those measures right now, as i mentioned to make sure you're handing, handling data based on it's it's. Its preference, its process, its purpose. Uh, but, that we do have a ways to go do you see, uh general improvements, based on the rollouts of these things, obviously there are still problems, and and you said problems of implementation, and stuff but, you know. It seems like it was, pretty of a pretty lawless, non-system, we had for years there do you do you feel like that there's, there's some sort of like. You know order. Happening around all the. Chaos. I feel like it is getting better every day okay yeah it's getting better every day, it's it's certainly a whole lot of one foot in front of the other, yeah. Right right. But. But i don't see us going backwards. At least not right now. Right, yeah yeah it's i mean it's important to you know sort of understand the distinction, between the sort of like. Conniving, like ooh i'm gonna take this data and do something nefarious with it versus people like, it's my first day on the job i didn't, know you know right like i. Right, so, speaking of sort of like the job aspect of it uh you know obviously with these new laws taking effect and potentially, opening up you know new responsibilities. For enterprises of all shapes and sizes are there any new type of careers or positions. That might be on the increase due to the regulations, with gdpr, ccpa and other sort of regulations, like this, well there's certainly an opportunity. For those that understand, the law, and technology. Um. To uh to to really make. Really strong impacts, in in our world, there are not many of them um. Certainly not many that i've met, with with a firm, grasp, of again both the technology. And, and the law so there's, there is uh, there's, very much, those opportunities. Um and some of those uh come into shape and form of, of data privacy, officers, and you know titles such as those, um those things exist. There is in my, both professional, and personal opinion. Uh. There's going to be a lot more opportunities. For. For. Analyst, positions. That is to say, you know today we're in the security world we've got a lot of, sock positions right we've got sock atlas, level one level two level three analysts. The nature of their, job. Around, understanding. Security, risk, is, now. Also coupled with being able to understand, a privacy, risk, so what's the difference well, let's say you have an alert, that uh. Some data, is uh has been. Has, it. Has left the company, right it's been. You see, you see it crossing one of your data loss, prevention, technologies. You you see it, leaving an egress point etc. And you just don't want anything to leave well that's, that certainly is problematic, from a security perspective, um, you also have now privacy, challenges of, gabe has now explicitly, requested, that you no longer, share his data with a third party. So even though you may have a legitimate. Connection, to a third party, where you share this information, digitally. And no security, violations, may have occurred, there. There certainly, is a privacy, violation. When you share my data and you weren't supposed, to a very real one really where you will also be fine and subject to lawsuits etc by doing so, so we need to be able to.
To Uh, automate and orchestrate, and understand, when an alert such as that triggers right so what does that mean. It means we need to be able to have privacy, operations, as part of our larger. Functions, within an organization. And so privacy, operations, i see equally, as. As another, opportunity. For for new types of. Roles within organizations. Um, and and maybe what we do is we we grow and expand out the security, operations roll into, the privacy, operations role where we combine them. And so you know we take. Privacy, and we put it right into the middle of our our security operations, center and we go from. Security operation centers to security and privacy operation, centers right so from assam to a spock. If you would, um long live the data right, yeah right. So i see a lot of opportunities, in that front. Okay. Um so, um, sorry i i. Just got a weird, zoom message here um so, uh we talk a lot on this podcast, about the skills gap in cyber security, you know uh basically, that there's this great disparity between the number of available cyber security positions, open, uh which is a lot and the number of qualified positions, to do them which is uh not a lot, uh so in our discussion, you mentioned the cyber, the security, skills, shortage that wasn't suggesting, that you might have some views about the topic that might run countered popular opinion, so. What in your opinion is the future of cyber security jobs versus the available workforce. Well let's take those uh privacy operations that i just mentioned because you can't, yeah you can't have privacy without security so they're certainly going to be hand in hand if not uh, completely. Um. Morphed into one. Right so we can't fill the security, roles today how do we ever plan on filling the privacy roles that are that are now. That we're now faced with, the answer is you're not and. But from my perspective. I don't think there was ever really a shortage of human beings i think we had two major problems the first is, for far too long. My fellow practitioners. Have made security. Way too esoteric. Of a topic that just scared too many people off right like oh my god it's the dark arts i don't, i do not know how i'm supposed to enter this right like, like we're all walking around with the mark of the dark one, on our forearm. Right yeah exactly. Um. And and. And the second is that the technologies. Did not allow us to scale. What, resources, we did have so we see some of that getting better with um, security. Orchestration, and automation, um, and remediation, solutions right where we're able to rapidly, not just alert on things, but orchestrate, responses. To things that gets us into a better mechanism, for triaging. I think there's a lot of opportunity, there to. Close. This perceived. Skill shortage because again i don't think it's an actual skill shortage i think it's a technology, issue, i think we haven't built, systems. That have allowed us to orchestrate. Automate, respond. And scale. Out our our, needs, nearly well enough. Um because there's just no way that we would have ever been able to have put enough warm bodies, in in the seats.
Right. Yeah so i think we we we first start by removing, the this fail in this cloak of this is some big esoteric, thing, and then we also start building better technologies, that allows. Especially at the entry levels too right. It. Allows, for far more folks to be able to simply, enter into those uh those roles. And that's largely a technology, problem. Right okay so um. Yeah yeah that's a really good point, that is definitely the sort of like the hard point of the funnel is getting, getting the sort of. Beginner, beginner people in there and stuff like that so do you have any any more any more thoughts on that like um. You know obviously that that's the problem but what's what's. Where do we where do we sort of like change things. We could start by lowering some of the requirements, right that don't you don't ask for someone to have 10 years of kubernetes, experience when it's only been around for six, yeah, right, so yeah it seems like an awful lot of guests have said that yeah the the sort of like the, hr, requirements, are one of the big sort of choke points. It's, it's certainly, a choke point right like, and again back to the certification, ones is it really mandatory, for someone to have a cissp. Right like is it really, i don't i don't think so like. You can take uh, you certainly can take a first year mechanical, engineering, student, and teach that that person, um. Uh, you know a lot of the skills they need and or that person could teach themselves and or they could take some secondary, school to, to get what they need, things that would be applicable, to the positions that they're applying for so that's one, um and again the other one is by definitely. Orchestrating. And automating. Uh way more of the tasks we've done a better job of automating. We've got a ways to go on the orchestration. Of. Our technologies, in general. Okay, um so uh i guess as we sort of wrap up today where do you see data privacy, going in the next five to ten years especially with with more regulations, coming on board and more sort of, uh you know options, for um.
You Know enforcing, these things like what do you see the landscape, looking like in the in the next decade. Well the technology, landscape, i think that the trajectory, of that one will have to, start, leveling, out a bit so you know we'll hopefully see a lot of consolidation. In in the privacy. Technology, stack. Uh, so there's there's one area that i certainly see that, going into, today a lot of folks try to solve for just one problem that they've identified, and so there's a lot of solutions, that that have sprung up to solve those one problems we'll start seeing more consolidation. Of that, but i also see again i see the convergence, of security, and privacy. Um. For the same reasons i've mentioned. On the show, which is you know you can't have privacy without security, you can have security with privacy but not the other way around. And so i see more of a convergence. Of the two as well, both in the, in the business functions. As well as in the technology, functions. Um, those i see those things be inextricably. Linked, and i see. And i see all of this still starting where even security, has which isn't just understanding, the data, we will be incapable, of protecting, it if we don't know what it is and we will become even less capable. Of preserving, its privacy, if we don't know what it is even if we've managed to protect, it whereby protect big air quotes means you know i've. I've, uh you know i've put it on the lock and key, but if the person's with the keys. Are people that should not have access to it then i've also violated, privacy, so, we need to understand, what it is as well too. Okay. Uh so as we wrap up today, uh tell me a little more about spirion, and some of the projects you currently have in the works. Yeah so spearon's a data security and privacy company been around for the better part of uh over a decade and a half. Um we're we're headquartered, down in. Sunny st petersburg, florida. Okay. Yeah, yeah yeah nice. And uh so you know a number of things that that we've gotten the rise in uh are very similar to some of the things we've talked about today, which is helping organizations, protect that that data so protecting, the security. And the privacy of it helping them be able to respond, to data subject access requests, and then be able to discover, classify, apply appropriate controls, to their data sets, um we've got a number of things in the works including. Um you know being able to, to offer, some some additional. Analytics, and governance. Uh, solutions, to those larger data privacy and security, products so we've rolled out two of those things earlier this year we've got a few more that we'll be announcing. Um just in the next couple of months so. Uh certainly looking forward to those things uh being released and, you know folks checking them out, and uh, you guys can head on over to.
Www.spirit.com. And, take a poke around. Um. Irion. Is that right, yep s p i hiron, yeah, we uh, we also have a little podcast, that we do also called privacy, please podcast, so obviously please okay yeah privacy please find it's all very focused on data security privacy mode. And uh, and you know i'm, active on twitter at gabriel gums if anyone wants to uh give me a shout, um, yeah you can find us in all those locations. Okay, uh gabe thank you for joining us today on cyborg this was really interesting, and uh and i really enjoyed hearing about uh, all these sort of things that i have, this sort of vague knowledge of and uh are changing every day so thank you i thank you chris i appreciate it okay and thank you all for listening and watching if you enjoyed today's video you can find many more on our youtube page, just go to youtube.com. And type in cyberwork, with infosec, to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday all of our videos are also available as audio podcasts. Just search cyberwork, with infosec, in your podcast, catcher of choice, and please rate and review us if you have a moment. For a free month of the infosec, skills platform, that you saw in the little video at the start of today's show uh and uh go to, infosychinstute.com. Skills. Sign up for an account and in the coupon line type the word cyberwork, all one word all small letters no spaces, and get your free month. Thank you once again to gabe gums and spirion. And thank you all for watching and listening, we will speak to you next. Week.