Privacy Please Podcast with Chris Leach–CISO advisor at CISCO

Cameron Ivey and Gabe Gumbs interview Chris Leach: CISO advisor at Cisco

Click here to listen to the show on iTunes and leave a review

Highlights of the show include:

  • How are businesses of all sizes going to handle increasing privacy and security concerns?
  • Which role in the C-suite should own privacy and the balance between a CIO and CISO
  • Will there soon be a privacy operations center in companies similar to a security operations center?
  • The paradox of the right to be forgotten
  • Why you need great data discovery and identification in order to have data privacy

Podcast Transcript:

Cameron Ivey:

Ladies and gentleman, welcome to Privacy Please. I am your host, Cameron Ivey. We have a very special episode today. Today, I have Christopher Leach, is the CISO Advisor for Cisco.

 

Cameron Ivey:

Chris, thank you so much for coming on.

 

Chris Leach:

Thank you for inviting me, I’m glad to be here.

 

Cameron Ivey:

Yeah, absolutely. Chris, I just wanted to kick things off. Where did you start? How did you get into being a CISO? When you graduated from college, were you even in security? Give us a layout of your background.

 

Chris Leach:

Yeah, I actually graduated with a degree in accounting, and I was a partner at Grant Thornton.

 

Cameron Ivey:

Oh, wow.

 

Chris Leach:

Back then, I dealt with mostly the IT risk world. This was during the days when the Internet was young, and still we called it the wild, wild West. Working with the American Institute of CPAs, I developed a lot of the initial structure that they wrote, and required CPAs to do around auditing of the Internet, et cetera.

 

Chris Leach:

I was speaking one day at a banking conference, and was approached by one CEO of a large bank. His comments to me were twofold. The first one was, “Great job,” and the second one was, “You will be working for me.” And then he walked away. Whoa.

 

Cameron Ivey:

That’s strong.

 

Chris Leach:

I did go to work for him, and that was my first job as a CISO, so that was almost 22 years ago that I’ve been a CISO, in that realm, for 22 years.

 

Cameron Ivey:

Oh, wow. That was right after HIPAA, right? Let’s just paint a picture for everyone. It’s August 21st, 1996, Bill Clinton just signed a law for HIPAA to be in full effect. This much have been … I think it started around ’97. I mean, you’re just stepping into that role for the first time, right? Right when HIPAA starts to get going?

 

Chris Leach:

Yeah, probably a little bit after that, maybe. Actually, I can remember just because everyone talks about 9/11. It was probably eight months before 9/11, being the Chief Security Officer of a bank in New York. HIPAA, yes was around, and right on the heels of that you had things like GLB (Graham-Leach-Billey), et cetera, so it was really a pivotal point for security, privacy, everything, at that point in time, and it was people’s eyes opening up.

 

Cameron Ivey:

Right. I guess, let’s do a comparison. From that point when you stepped into that role, and something like HIPAA for the first time being out, and so brand new. What’s the difference you see in today, in 2020, the approach around data privacy, and compliance regulations?

 

Chris Leach:

Let’s talk trends, in general, and then your specifics.

 

Chris Leach:

So trending, back then, back 20 years ago, they were immediate needs that needed to be addressed. For example, HIPAA came out because it was so important to start looking at healthcare in general, but then what the records, and so people started to concern themselves with that. Then, we had, as I mentioned, 9/11, and all of a sudden the security side of things became paramount.

 

Chris Leach:

Today, I think we are surprised, and I really am surprised that the focus that we are placing on privacy today, simply because the argument has always been, specifically over the last 10 years, that the younger people don’t care about privacy, they put everything online, and privacy’s not important. The older generations, it’s important, so we thought there was going to be a big tug of war. Low and behold, how wrong were we? Because, certainly with the advent of GDPR and everything else that’s happening in our country, obviously becoming so focal. It’s like whoa, it came out of left field, no one was expecting.

 

Chris Leach:

I would say, in general, that these are good to things to have happened. I say in general, because the other side of that coin is too much regulation, too much checking of the box becomes very mind numbing, and takes away from the real world. But, it’s good because it does raise the bar so that we’re all dealing with the same bar, that same level of criteria that we need to support, and comply with. If I’m not, I need to get there, but if there’s too much than it’s taking me away from other stuff that I need to do.

 

Cameron Ivey:

Right, that’s a good point. I don’t know if you hear this chatter as well, but being in data security, data privacy for so long, you were talking about how there’s been that back and forth, and how it’s kind of surprising that it’s the forefront of today in security, around data privacy. So, the right to be forgotten, everybody knows that, CCPA. Why is still such a gray area? Obviously with security and privacy, people still don’t feel is there really the right to be forgotten, does that actually work? Especially with the Internet nowadays, are you really gone when you actually do the right to be forgotten?

 

Chris Leach:

Well, I think that’s the central question, can it really happen, for the reasons you just said. I think it’s yet to be tested, although certainly this right to be forgotten, or ghosted, or whatever we want to term it as, is a technological issue as much as it is a social one.

 

Chris Leach:

If you tell me that I need to forget or erase all traces of you, because you’ve come as a consumer to Cisco, or whoever, and you want all these tracks erased, so to speak, how do you know that I’ve got all of them, from your point of view? My challenge is, how do I find out where all those tracks are? As we know, the data sprawl is really a challenge. We go on premises, to cloud, to mobile devices, to everywhere else. How do I know where it all is? That becomes a real challenge.

 

Chris Leach:

When the laws have been coming out, a lot of people are sitting there going, “How do I do this?” That’s why I think there’s a lot of people questioning where do I go, how do I get this done, because it hasn’t been ever done before. Really, people are all asking the same questions.

 

Cameron Ivey:

Right. Okay, with all your years of being a CISO, do you think most companies go into it nowadays, to incorporate privacy by design? Do you hear that term now, more than ever?

 

Chris Leach:

More than ever, since starting when? When am I posing the question from? If we go back a year ago, no.

 

Cameron Ivey:

Right.

 

Chris Leach:

We’re all standing there waiting, to see how GDPR will be rolled out in Europe, and how that’s going to roll to us, in this country. Probably not, although if we were to fast forward to today, and have that dialogue, probably moreso, but I don’t believe that it is the forefront of lots of discussions.

 

Chris Leach:

So, I think that privacy is dealing with the same thing security has dealt with forever, and that is we always used to say, as security professionals, “Let’s back security in, and not bolt it on.”

 

Cameron Ivey:

Right.

 

Chris Leach:

I think privacy’s now realizing that’s what they’re dealing with, we’re bolting it on at the very end. But, I think you need to ask the question, why? Why is it that we’re bolting it on?

 

Chris Leach:

I would have to argue that one, the regulations are not that clear. In other words, there’s a lot of gray area, in any regulation. I think they’re done that way, on purpose. The interpretation of that regulation, or how it’s to be deployed, a lot of times comes down to how the regulatory community is auditing against that compliance, and they really set a lot of that direction. We saw it with GLBA, we’re going to see it with privacy.

 

Cameron Ivey:

Yeah good point, because it definitely seems for organizations, the driver is always compliance, and the compliance team in general. It seems to be the most important with organizations, on their decisions on what kind of tools and initiatives that they actually go for each year.

 

Chris Leach:

Well, think about some really small companies, or startups, or Mom-and-Pop companies who’ve been around for ever and ever, think about the burden this will place on their own operations going forward. It really needs some deep consideration and forethought. As you brought up, how do I bring in privacy to the forefront, along with security? Rather than bolt it on at the end, how do I bake it into my process?

 

Cameron Ivey:

Exactly.

 

Chris Leach:

So that my costs aren’t so great, and operationally I can fix. But, you still have all the historic data that you have to figure out, what am I going to do with it? I think that’s the biggest challenge, is the historic information that you want to forget me on, or whatever. Have I found it all? I think that’s the uphill challenge right now.

 

Cameron Ivey:

Yeah, I agree with you. I guess, just to turn things over, how long were you a CISO, before you became an advisor?

 

Chris Leach:

Almost 18 years. I wasn’t CISO in one company, it was several companies that I worked in.

 

Cameron Ivey:

Right.

 

Chris Leach:

About 18 years, total, that I was a CISO.

 

Cameron Ivey:

What would you say a typical lifeline for a CISO at one company? What kind of tenure do you think that is, year wise, compared to when you first became a CISO and nowadays? Do you see a difference in short tenure compared to long tenure?

 

Chris Leach:

Yeah, I would say historically, it’s getting better but it’s still not where it needs to be. If I think about when I was originally a CISO, and there weren’t very many of us way back when, and that’s kind of the problem. But, the average tenure probably, 10 to 15 years ago, was about 18 months for a CISO, and now maybe it’s 20, 24 months, so it’s getting better. But, I think why is it so short is the real question.

 

Cameron Ivey:

Yeah.

 

Chris Leach:

Do you want my answer, or do you want me to guess?

 

Cameron Ivey:

Yeah, no, I’d love your opinion. Yeah, I’m just curious.

 

Chris Leach:

Yeah, I’ll give you my never to be told opinion on it. I think there’s two reasons for it, in my mind. Who knows, I certainly am not an expert in any of this, I’m duddy studies. This is my gut talking to me.

 

Cameron Ivey:

Right.

 

Chris Leach:

One I would say is that CISOs come in with a large burden of responsibility. Sometimes they have the responsibility but not the accountability, and that’s setting somebody up for failure. In other words, they’re responsible to make it work right, but they can’t force somebody to do it, or they can’t make the change. So, when CISOs try to push change through too quickly, they’re looked at as, “Well, you don’t fit our culture,” blah, blah, blah. Either they will go out of frustration, they’ll leave the company out of frustration, or they’re asked to leave. I think that’s one reason.

 

Chris Leach:

The other reasons I would think is that as things have rapidly changed, especially the last two, three years, the rush to the cloud, privacy, all these things coming to the forefront, CISOs now, more than ever before, need to understand and support business concepts, the business itself. Many times, CISOs want to still talk bits and bytes, zeroes and ones, and have a hard time talking about EBITDA, debt earning ratio, all those kinds of financial information. But, they need to be bilingual, they need to talk the language of security, and the language of business. I think, many times, they lag. But, it’s getting better, I’ve seen it getting better, but they’re lagging a little bit in that.

 

Chris Leach:

So, I think those are the two reasons, in my mind.

 

Cameron Ivey:

That’s great, thanks for doing that. Now, I have a question for you, and we’ve talked about this before. It seems there’s some kind of a disconnect between the title of CIO and CISO, when it comes to priorities, and the direction they should go for organizations with the security posture.

 

Cameron Ivey:

I just want to know, from your experience, why is that? Is there some kind of a harmony to it, are we getting there? Is that common, that disconnect?

 

Chris Leach:

Let’s look at this over time.

 

Cameron Ivey:

Okay.

 

Chris Leach:

Historically, we as CISOs naturally reported to the CIO. The challenge for a CISO in that scenario is that CIO, then, controls the CISOs budget. So, effectively who’s running security? It’s the CIO.

 

Cameron Ivey:

Right.

 

Chris Leach:

There is a lack of the balances that need to be there. We see, again, going forward in time, in my own career I’ve reported to CIO, as I mentioned. I’ve reported to a CFO, who knew every dollar, and nickel, and dime I spent, and wanted to ask me about every nickel, and dollar, and dime.

 

Cameron Ivey:

Classic.

 

Chris Leach:

That’s their role, so I get it, right? Then, I’ve reported to a COO, which was probably the best for me. I think not necessarily everyone should report to a COO, but I think it gives you you’re separate from accounting, you’re separate from finance, and you’re separate from IT, so now you’re at an operational level. Also, the COO and my personality really meshed well, so that was also part of why I think it was the best, for me. I’ve also reported to a risk officer, which is separate from anything else.

 

Chris Leach:

Depending on, one, the culture of the organization, and the strength and weaknesses of the individual CSO, I think that determines where he or she should be sitting in an organization. But, I would argue that it really needs to be separate from the CIO. You talk about the tension, I think that’s a good thing.

 

Chris Leach:

If you think about it, the CIOs job, or IT’s job is to keep that pipe open, and information flowing as fast as it can, so it’s analogous to a race car driver. Pedal to the metal, go as fast as you can. My job as a CISO, I’m sitting there saying, “No, you’re coming up on a curve here, you might want to slow down.” If the CIO doesn’t want to listen to me, and wants to go as fast as they want, then I have to put the brake on. Then, they get that tension. That tension is okay, as long as you can discuss it. But, here’s the other thing I’ll tell you about CISOs, is you can’t say no. You can’t say, “No, you cannot do that,” without giving an alternative because then, again, you’ve lost the whole focus of the business.

 

Chris Leach:

Over time, you see that thing changing, and I would hope that we would see some CISOs reporting into CISOs, at some point in time, because they’re telling us it’s board level, well then the CEO should own a little bit more. We, as CISOs, need to step up and own it as well, being capable to talk finance and everything else, to talk at that level. There’s some yin and yang on both sides.

 

Cameron Ivey:

Yeah, great. Thank you. That transitions beautifully into this next question. Obviously, we’re Privacy Please, so data privacy. When you’re a CISO, and you’re in an organization, there’s some new changes coming up with new titles, like data privacy officer, and I’m just curious, do you see a trend in companies throwing anything related to data privacy onto the CISO, because they don’t have the funds, or they don’t see the need to actually hire a data privacy officer? What are you seeing nowadays in companies, around this topic?

 

Chris Leach:

I know that, historically, I was the chief privacy officer at one point in time, plus security, plus blah, blah, blah. Why was that? I think back when I was the privacy officer, there wasn’t a lot of focus on privacy that there was today, we’re talking 10 years ago. I think that’s the last time I held that role. But yes, we are seeing … For companies that don’t have a chief digital officer, or a chief privacy officer, or someone other than an IT person, or a security person that would have security, then yeah, I call it thrown over to the wall, to the CISO.

 

Chris Leach:

Maybe it’s convenient because the CISO’s always dealing with regulatory issues anyway, and I think that’s why a lot of companies put it there. I don’t think it’s a good fit long term, but for now, okay. Let’s get it there, put the right processes in place, but understand that not everything within the purview of that privacy officer really relates to a security issue. So, there needs to be some shared accountability somewhere, and you have to work out those details.

 

Chris Leach:

But I think over time, we’re going to see more and more focus, like we do with CISOs, on privacy. We’re at an emergence of that whole issue right now.

 

Cameron Ivey:

Yeah, you’re definitely seeing that. It’s neat where there is a company that has a data privacy officer and a CISO, just because you can see that … Well, at least in my opinion, it looks like that company, or whoever’s running that company, is looking ahead to the future, and they’re just taking the initiative to stay on top of everything.

 

Chris Leach:

I think those privacy officers are learning their role, as well. I worked with one privacy officer at my last job who wanted to tell me how to run security. This attorney actually went out and passed the CISSP exam, because he thinks I’m thinking, “Oh my gosh, you’re an attorney focused on privacy, don’t tell me how to run security.” There will be some give and take, personalities, and everything that’s going on, but all in all, I would much rather have a privacy officer separate from me than to.

 

Cameron Ivey:

Yeah.

 

Gabe Gumbs:

Chris, Gabe Gumbs here. Just going to dive right in, and jump into this conversation.

 

Cameron Ivey:

Welcome, Gabe.

 

Gabe Gumbs:

Thanks, gentlemen. I’ve been sitting back and enjoying this conversation. But you guys are right in the middle of something that Chris and I have been discussing, and I want to bring up for our audience also, though.

 

Gabe Gumbs:

Privacy operations, I have some opinions on where these things will start making their way up into the organization. But, you highlight, Chris, that as that being something that was already within the purview of your part of the organization, and something that you believe is well suited for CISOs to understand, and maybe even CIOs to be a part of, as folks in the overall ecosystem of owning the data processing, et cetera. Where do you see privacy operations fitting in, into the overall purview of the CISO?

 

Chris Leach:

This is a really complex discussion here, because one, it’s new. And two, you have to understand why security and privacy are close allies to begin with. If you look at the precepts of confidentiality, data integrity, and so forth, privacy is really foundational to the CISO’s role.

 

Chris Leach:

When we start talking about privacy operations, certainly there are components of security that are very, very critical, that need to be supplied with to secure that data. But when you start talking about, as Cameron and I were talking about earlier, ghosting … I call it ghosting people, forgetting a person, those actually get down to the database structure, and running of a database, that a CISO is not a DBA, does not get involved. I will tell you, every DBA on the planet would say, “You security people, stay away from my database.” So there are elements and components that are outside the operational purview today of a CISO. Then again, whoever operates that today, which tends to be the CIO. And, we’re going to see different changes of things going forward, that then say to other operational people, “How long am I supposed to maintain my data?” Maybe it’s different for this type of customer versus another.

 

Chris Leach:

The CISO again, operationally, does not manage those backups, those restorations, et cetera, that, again, need to be coordinated with other groups of people. So, if the CISO is wearing that hat today, we’re now adding more workload to what he or she is doing, as opposed to some of those privacy operations stuff that is jointly owned by IT and security. Then, you bring in this new data private officer, who may be an attorney, they tend to be. The ones I know were attorneys, who have no operational experience at all. So, they don’t understand the concepts of 24/7, 365, follow the sun, all these kinds of things that operation people live with all the time.

 

Chris Leach:

You can see how difficult and convoluted this becomes very quickly, and why there’s a lot of, I don’t know, juggling of these balls, and trying to figure out whose on first, and who’s doing what on first. I think it’s going to be several years before we work all this out. But, bottom line in my mind, Gabe, is that we will see an emergence of a privacy operations center, just like we did from the network operations center was born the security operations center. From the security, I think we will have the birth of a privacy operations center.

 

Gabe Gumbs:

Now, I appreciate that perspective, I’m in wholehearted agreement with that. I see it, also, and tell me where you disagree, or agree for that matter … I see it as somewhat natural. When I look at the security operations center, and having also been a member of and ran security operations teams, there’s a lot of tools and processes already in place that seem to naturally align with a lot of what we need to at least do today, around privacy operations. Those things certainly might, plausibly, evolve beyond that, but I don’t see an evolution into the need for a separate operations center for privacy, when so much of that seems to fit naturally into what we have in our security operations centers today, too. Interesting perspective.

 

Chris Leach:

I guess I’d argue a little bit. Today, I’d agree with you. Why would we separate privacy operations from security or anything else? It makes sense to me.

 

Chris Leach:

In 1980, if we were to ask the same question about security and IT, we’d have said, “Well, there is no reason to separate them, because they’re one and the same.” But over time, I think we will see changes to the privacy laws, changes to the requirements, that I think we’ll start to see a separation of what you had just talked about, where a lot of the processes are the same. I think we will see that change, but for now, you’re right. Let’s leave it alone, let’s let it grow and mature, and see where the laws, and operationally where we go. I think technology will change over that period of time.

 

Chris Leach:

If you think about IOT, how it’s just blown into the environment, and there’s a lot of privacy issues around IOT, if that’s a pacemaker and other things, things that we haven’t even thought about yet. Which is why I say that a year from now, two years from now, we may have a completely different conversation.

 

Gabe Gumbs:

Yeah, indeed.

 

Cameron Ivey:

I’m curious. Chris, what is your biggest challenge, being the CISO Advisor for Cisco? What’s your biggest challenge today? Probably a lot.

 

Chris Leach:

I was going to say, do I have to get on another [inaudible 00:24:02]? Especially now.

 

Chris Leach:

I would say that the biggest challenge … You have to understand what I do, and that there are two large buckets. I have several littler ones, but two large ones. One is actually working with the CISO community around the globe, that’s a big part of it. Certainly, I have relationships with lots of CISOs. The other is working with Cisco in making sure that Cisco understands the challenges of the modern day CISO, so that it’s products and everything else are tweaked.

 

Chris Leach:

I would say, understanding those are two big buckets, my biggest challenge today is having that CISO who wants to have a discussion, who needs to sit down and have a discussion, that CISO is so stretched with all the other things going on, sometimes it’s difficult for him or her just to sit down and have that one on one conversation. When we’re lucky enough, that the planets align, everyone’s schedules align, you move that bar a great deal.

 

Chris Leach:

The nice thing about my role, and those who work with me know, I have no sales quota, I don’t have to wave the Cisco banner everywhere I go. We talk about business issues, the changes in the environment, the culture, and all those things. The CISO is in the middle of that, and privacy right now is really top on their plate just because of all the things, the changes that are going on. So, having that time for me to sit down … Not my time, but his or her time, the CISO’s time, is really difficult sometimes to get.

 

Gabe Gumbs:

I wouldn’t mind double clicking a little into one of those new challenges that I really see emerging, when I’m talking to some folks. Much like yourself, I am equally lucky in so much that I don’t have to carry a … I carry a bag, but not a quota as I like to say. So, people open up to me about a lot of their challenges.

 

Gabe Gumbs:

One of those, around privacy in particular, keeps coming back to this notion of the right to be forgotten, and things of that nature. And, the right for subjects to be able to control their data. I happen, on a personal level, to think that is awesome, I’ve been a champion of that for some time. Obviously, Privacy Please podcast, that’s what we’re all about here.

 

Gabe Gumbs:

How do you do that? How do you operationally, how do you as a business retain the business value of the information that is the lifeblood of what you do? The buying habits, the behaviors of individuals, all of those things, and still respect their privacy? Where do you being in thinking about that problem? I don’t think there’s a neat answer for how you solve it, so I certainly don’t want to put you on the spot for that. But, where should they even start about thinking about that problem?

 

Chris Leach:

Well, first of all, this right to be forgotten piece that everyone likes to glob onto, I really would like to go out and do a study. How many times has that been exercised with a company? I don’t know whether there’s a lot of people who are exercising on that, but maybe I’m wrong. I would bet that if you were to take that population … let’s just pick a number. Let’s say it’s 100 people. Of that 100 people, how many of those 100 were just really frustrated and angry, and just wanted to be gotten out of there? Again, we understand a little bit more what’s going. Again, I don’t think we know how many people, or how big these elephant is.

 

Chris Leach:

Having said that, I think the issue is extremely difficult to resolve, and that’s because we have, over time … many companies have been around forever and ever. You have data sprawl, so where all these pieces? Gabe, that’s your question. Where are all these pieces of information that I need to forget? Can I identify them all, do I know where they are? Then, secondly, do I have a well defined process in place? How does it, et cetera, how do I verify, and so forth?

 

Chris Leach:

So, I think those are two of the questions. I know I’ve only been with Cisco for a little over a year, I was a CISO just prior, and this was one of the things we were dealing with. We were struggling with, one, identifying all the little threads and pieces where it was. But then, once we identified it, how were we going to prove to a customer, or to a regulatory agency, that we really did do what they said? There was some database juggling, and there was applications that were being changed, so there was a lot of heavy lifting going on, and I believe it’s still going on today. The Mom-and-Pop shops, the smaller companies, the smaller enterprises, this is going to be a huge burden for them to overcome. I think it’s going to take time.

 

Gabe Gumbs:

To say the least of the paradox of in order for me to continuously know that I’m protecting your privacy and have forgotten about you, do I need to retain something to know that?

 

Chris Leach:

We were concerned, at my last employer, we actually put a digital cert we put on every time a record was forgotten. But yeah, at least you had that cert that was out there, proving that we had forgotten an individual.

 

Chris Leach:

But remember, when you say that you want to be forgotten, if there are other legal reasons why your information’s going to stay out there, that information’s going to stay, irrespective of your requirements, or your request to be forgotten. There will be pieces of information, based on what your historic interactions with the company’s been, that are still going to be there regardless of what you want to say, because there are other reasons that they have to stay. Like I said, if it was a loan, being worked backwards.

 

Chris Leach:

Think how the attorneys are struggling to figure out, how do we craft a statement that does this and this, and the data flows? How do I automate it? It is a really, really difficult problem that we’re dealing with right now. But, it will be resolved, it’s just going to take a little bit of time.

 

Gabe Gumbs:

Indeed, quite the challenge.

 

Cameron Ivey:

Yeah. Well, I know we’re coming up on a hard stop here, Chris, and I want to respect that. I think we’re going to have a two part series anyways, because we could talk about this for hours, diving into the right to be forgotten.

 

Cameron Ivey:

Is there anything that I didn’t ask, or that Gabe didn’t bring up, that you wanted to talk about on your end, around data privacy, before I wrap up with my last question?

 

Chris Leach:

Yeah. I would say one of the things, a good thing, that’s coming out of this being forgotten discussion we’ve been having is the identification of where all these pieces of data are.

 

Chris Leach:

Let’s put my CISO hat on, I’m pure CISO, no privacy. A breach occurs, that word that nobody wants to hear, the B word. So, because it’s very difficult to really say with certainty that we know that only this server was breached, and on this server only was this information, and therefore I’m reducing my notification because I don’t have to notify everybody. I’m just notifying the people that are on the server. That would be a positive thing, because I’m now identifying where all these pieces of information are. So, I’ll be able to limit my breach notification, which then is a good thing.

 

Chris Leach:

The other side of that is that when we see these bits and pieces of information, we tend to move them into one space, [inaudible 00:31:11]. There’s a good and bad with that. So, understand I think there are some very positive elements on breach notification that are coming out of this move, still yet to be seen how we can identify all the pieces, and still yet to be seen how much it’s going to cost us all.

 

Chris Leach:

GLBA is a good example, that is one little paragraph. If you look at the initial Graham-Leach Act, that was specifically for financial services, it’s a paragraph, and it turned into a multi-billion dollar consulting gig for a lot of different companies. I think we’re going to see a similar path here, today.

 

Cameron Ivey:

That’s awesome. I mean, that might run into my question, what you just touched on. But, I like to end the episodes with, from your personal perspective, what are you most excited for, now that it’s 2020, for data privacy and cybersecurity? What are you most excited to see happen, from this point on?

 

Chris Leach:

Excited? I guess, I want to see … There’s a lot of things that come into play, here.

 

Chris Leach:

We talk about data privacy and security, but the data privacy pieces then says, okay, if I’m in Canada, my data only stays in Canada. We have issues around that identification piece. But, it helps me secure an environment better, because I know that my data’s only in this area, I can, again, limit my scope. I think these are positive steps that help the CISO work with the privacy individuals, in securing that information, cleaning up that information. And then, also helps me reduce risk, because again, I’m getting rid of old stuff that I shouldn’t have anyway, so I’m reducing my risk, and reducing storage, everything else. So, maybe that’s some capital coming back to a company.

 

Chris Leach:

But it also is going to accelerate, and I think this is the cool part, it’s accelerating our digital transformation you keep talking about. Because we are, basically, cleaning out our garage, and you hate to clean that garage out. But, once you’re done, boy, are you glad you did. So, I think we’re in the middle of cleaning our garage out, it’s halfway done. We look at it and you go, “Oh my gosh, why did I start this? I’m never going to get done.” You power through to get done, and you’re glad you do. So, let’s get our garages cleaned, and have a safer, more nimble environment in which to work.

 

Cameron Ivey:

Awesome. Well, you hear that, guys? Let’s have some garage sales, and clean that out.

 

Chris Leach:

Well, we can’t sell identities. Be careful what we’re selling in our garages sales.

 

Cameron Ivey:

That’s a good point, good point.

 

Cameron Ivey:

Well Chris, thank you so much for being on, we really appreciate your time and your insight. I hope to have you back. I don’t know if Gabe, you want to say anything, last words?

 

Gabe Gumbs:

No. I appreciate your time, for sure. Chris, is there any place you’re going to be over the next couple of weeks or months, talking at conference anywhere that you may want to plug, so folks can come see you in person?

 

Chris Leach:

There are a number of places, but a lot of these are up in the air right now because of our current Coronavirus thing.

 

Chris Leach:

I’ll give you an example, I was supposed to be in Atlanta next week, it was canceled. I’m speaking in North Carolina and New York, but again, we’re still waiting to see how this is all going to play. So, I’d rather than me plug anything Gabe, but thank you for that opportunity. I’m a little leery, so we’re going to wait and see.

 

Gabe Gumbs:

Duly noted. Well, on that note, I’d just like to remind our audience to wash their hands like they just cut a pound of jalapenos.

 

Cameron Ivey:

Don’t rub your eyes.

 

Gabe Gumbs:

Don’t rub your eyes.

 

Cameron Ivey:

Well, thank you gentlemen, I really appreciate your time.

 

Chris Leach:

Nope, thank you.

 

Gabe Gumbs:

It was great.

 

Chris Leach:

It was fun.

 

Cameron Ivey:

Awesome.

 

Related Blog Posts

Blog Post
Podcast Episode 25: Privacy for Remote Students and Europe’s View of Privacy
Blog Post
Podcast Episode 24: James McQuiggan: Security Awareness Advocate at KnowBe4 Educator
Blog Post
Cal State CISO discusses protecting sensitive data for half a million people
Blog Post
Privacy Please Podcast with Lourdes Turrecha, Founder and CEO of PIX LLC
Blog Post
Podcast Episode: Coronavirus and Work-from-home Privacy concerns with K Royal – Associate General Counsel
Blog Post
Privacy Please Podcast with Michael Santarcangelo of Security Catalyst