Privacy Please Podcast with Michael Santarcangelo of Security Catalyst

Join Cameron Ivey and Gabe Gumbs of Spirion as they talk with Michael Santarcangelo, Founder and President, of Security Catalyst and Straight Talk Works.

Key Highlights From This Episode:

• Michael’s unique path from DJ’ing/bartending to the Data Security and Privacy World
• The un-designed security and privacy consequences of HIPAA
• How opting out of tracking via GDPR may increase scrutiny of those still being tracked
• Why organizations should focus on trust rather than fear when it comes to communicating about data privacy and security
• Why leading on data privacy will matter for companies in 2020 and beyond

Listen and subscribe to the podcast here

Transcript of the Episode:

Cameron Ivey:

When you first graduated from high school, were you already interested in data privacy and security before going to Cornell? If not, when and what intrigued you about InfoSec?

Michael Santarcangelo:

I was that kid who when he graduated high school, this is a long time ago now. Yeah. I knew I needed to go to college, but was I interested in security? I didn’t know what I was interested in. Which is interesting, because I was almost interested in everything. It was like, yes, this is all really cool. And my major, my school at Cornell actually ended up, my degree is called policy analysis and design. And what’s interesting about that is the way it was described to me… This might’ve been my junior or senior year, was, Michael hopefully we’ve taught you that problems can be, and are often complex, and you have to draw on multiple disciplines to both understand them and solve them.

Michael Santarcangelo:

And all I can tell you, is all these years later, it’s still fascinating to me that that school doesn’t turn out more people for security, because it’s exactly the challenges that we face today. But no, I… Did I know about security, maybe. But that wasn’t an interest to me. And in fact, if you think about how I got into security, I just… I asked too many questions. The way I… I ended up… I intentionally didn’t interview at the end, right. So there’s usually this big crush, and it’s, all right where are you going to go, and where are you going to go on your interviews? And I said yeah, I’m going to take some time off. My parents were not thrilled with that, by the way. They were like go graduate Cornell and take time off.

Michael Santarcangelo:

But when I was at Cornell, I started a DJ business. I started a moving company. And I had this really cool opportunity to be a bartender. And the way I had done that taught me a lot about the bar business. And I said, guys, listen, I know how to DJ. I have a bar… I know how to bartend. I’ll keep myself alive. And I think their biggest fear was, he’s never going to do anything else. But I wanted some time. I wanted to decompress. I very much didn’t want to rush into something that I would regret. Looking back at it, that’s kind of stupid. But it worked out pretty well. And it ended up getting me a position with Anderson Consulting, which is now Accenture. And I got put on the tech team, right. So mind you, I have a bachelor’s of science, but I don’t have a… it’s not engineering, it’s not computer science. It’s definitely not programming.

Michael Santarcangelo:

In fact, programming is what pretty much convinced me, that was not the right direction for me. But every time they had a problem, they’d come to me, because I had learned to think about stuff differently. And let me tell you, being on a technical team, people threw a lot of stuff at me just to see what I could or couldn’t do. I always had a knack for tech. In fact, I enjoyed… I was the kid who in high school was building computers from scratch. So I got it. It just wasn’t my biggest pursuit. The way I got into security, it was really simple. There was a Friday afternoon, it was a massive project. I mean imagine a project, going back 20 something years ago now, where you’re putting 250 kids out of college in upstate New York to solve a problem for the government, that’s a blend of, custom code and development, and all sorts of stuff. And I was essentially utility player on the tech team, and at the time had lived locally. So, I was also responsible for our Windows NT servers and our UNIX farm, and all sorts of other stuff.

Michael Santarcangelo:

And I went to the partner on a Friday afternoon and I said, hey Tom, our pricing spreadsheet is accessible to the client, is that what you intended? And he looked at me and he said, nope, that’s a big problem. All right listen, I’m going to fly home and I’ll be back Monday afternoon, fix it. Now at the time we got paid for overtime. So it wasn’t like I was working for free. I mean, I got it. But to set the stage, I think we had two security books at the time. We had Practical Unix and Internet Security, [crosstalk 00:04:03] which is the big yellow book from O’Reilly. And then I think it was the first one, like web commerce and security or something like that, right. So this is like 1997. I figured it out. I don’t know how, I mean the internet wasn’t what it was now, right. We didn’t have Google, we didn’t have any of that stuff. But I figured it out, and I was able to split it off, and it didn’t blow anything up, and it didn’t piss anybody off.

Michael Santarcangelo:

And my reward was come out to dinner, and by the way, we’re going to buy some prime rib and lobster, and you’re going to sit at the table with the client and we’re going to do all this stuff, right. So, here I am 21, 22 years old, solved a really cool problem. And the next thing you know, I was the security expert. And every time they had any question related to security, came to me. And one of the guys on the project, it was a multi-party project. There were a bunch of vendors there. I started spending time with IBM, and talking with them about security. And I started spending time with some of the locals, including a person who had been a police officer. And we spent a lot of time together looking at stuff and solving it and figuring things out.

Michael Santarcangelo:

And then one day I got a call from a small group in Chicago and they said, hey, you’re a security guy. Great. We’ve got this really cool project. Oddly enough, doing HIPAA and privacy down in Jacksonville, Florida. We need you. And I said, sweet, I don’t know who you are, or how you got my number, but I’m not in security and I’m not a security person. And they laughed at me. And they said, well, tell me what you’re working on. And I list it out, and they said right. Okay, so congratulations, you are a security person. It was a startup. Accenture was starting up a security practice, global. It was a globally focused, it was a separate group within Accenture that was designed to look at all this stuff. And I was one of the first 20 to 30 people through the door. And they had enough pull that they essentially got me yanked off of that project. And next thing you know I was in Jacksonville, Florida.

Cameron Ivey:

So that was at 22?

Michael Santarcangelo:

Yeah. Yep, yep. And this is back when security didn’t exist. Like if you told somebody you did security, the logical question was, you’re a security guard? And I like to think at least physique wise, I might’ve looked like it back then. And so I was kind of like, all right yeah, cool. But if you were on an airplane and you told somebody in ’97, ’98, you did security, it was… So, like forced protection? Were you in the military, are you a cop? What do you do? It had nothing to do with any of the stuff that we look at today. And we had career counselors, and I had a guy tell me that, going the security route was a career limiting move, and I really needed to think about this or not. Because what was I going to do down the road? This was not a good decision on their part.

Gabe Gumbs:

In all fairness, Gabe Gumbs jumping in here. I don’t know that he was wrong. In 1997, ’98. I mean look, 2020, is it still? I mean, I don’t know what the average CSO tenure is, but it’s still not that healthy. I mean, is it really that career moving? But you said something, and Cam and I were talking to a CISO of another organization earlier this week, last week, I don’t remember. And I think I’m going to start playing this little fun game of, where were you when HIPAA was enacted, right. One of those things where it’s like, where were you when like X, Y, Z, world event happened. Because I find it interesting that a lot of people do kind of almost inadvertently use that as a reference point to their early careers in security. And full disclosure for those that aren’t intimately familiar with my background, I think I only got into it several years after yourself.

Gabe Gumbs:

In ’97 I was doing, kind of networking and then by like ’98, ’99, I was full board into InfoSec. But it does beg the question to, right. Consider yourself the first contestant of the game. 1997, what were you doing when HIPAA went into full effect. Because, as we sit here in 2020 on the Privacy Please Podcast, HIPAA represents one of the first, if not the first major privacy focused regulations, right. And I’m emphasizing those words very intentionally, because it was focused on privacy. And it would be years later until we see another such regulation, and it came out of the EU. And then even many years later, before we see yet another EU regulation, and now some U.S. regulations. So, let’s double click, let’s hover a little bit on ’97. Your in security, you’re one of these 20, 30 people in, and HIPAA is a big deal, right. It’s big enough that-

Michael Santarcangelo:

Yeah, let me bring you back, because here’s the interesting part. So I’ve got a policy analysis background. My two policy concentrations… Actually we were only supposed to choose one, but I couldn’t. I split between education policy, and healthcare policy. And most of that work gets done in your senior year. And I… We were looking at HIPAA. And I’m remembering these artifacts, but one of the things… because you talk about privacy focused is, in my courses as we’re dissecting this. And we’re looking at healthcare, and we’re looking at healthcare globally, and learning how to compare, and compare populations and understand it. We certainly looked at things like waste, fraud and abuse. But the thing that did come up, and I remember talking about privacy because I’m pretty sure the professor said something to the effect of, well and did you know that your medical records don’t even have any privacy attached to them? There was that, pah, huh, of course they do, right. And this is like 25 years ago. Of course they do. Nope, they didn’t. The privacy act of 1974 was interesting, limited, and didn’t have any play here.

Michael Santarcangelo:

And so, what’s interesting, you say that, because this definitely… I mean we called it port… It was all about portability, and this nation that people weren’t changing jobs, because healthcare was such a nightmare. And so therefore, here you go. And it was interesting, as I was getting ready for this conversation, because I didn’t rush into this. I didn’t rush into this like, oh, now that I have health policy and this HIPAA things coming, I can solve it. And when I fell into security, where it’s people who have explained to me, I think different. And I think a lot of business in security, think different. So it fit. And I’m here, and I’ve been here for a really long time. What’s interesting though is, as I just pointed out, that second project was all around HIPAA and HIPAA policies, and really getting into it. And doing that in like ’98, right. So, then it would’ve been like ’98. That’s right when all of this stuff had been signed, but it hadn’t gone into effect yet. Which meant everybody’s kind of scrambling and saying, well, what do we need to do? What does it look like?

Michael Santarcangelo:

And that was a great time to do it, because you really got a chance to start asking those questions, and it was the health insurers paying attention to it. And it was the healthcare companies and the hospitals. And what’s interesting, because I’ve looked back over the last two decades, and between ’97 and 2010, I worked on at least four or five different types of HIPAA programs, right. Especially because the privacy stuff really got codified in 2003, 2004. And then we did more of the rules around it. And I still think it’s a decent model, about the things that are… you have to do this, versus it’s addressable. And what I always love is, so address it. Like yes, we looked at it, doesn’t apply. Next. As long as you can prove it, that’s really kind of cool.

Gabe Gumbs:

Nice. That is interesting. I can take this in a number of tangents, because when you think about the fact that the unintended consequence of HIPAA being a driver of data security as a regulation, versus its’ original intent of… And you make a very good point of portability, because people weren’t moving jobs. Well guess what? People still aren’t moving jobs because they’re worried about healthcare. And now we have to have a regulation like CCPA that attempts to protect the privacy of individuals data across things more than just healthcare. And so, we come almost full circle on on these ideas, which is just remarkable when you think about it in that context.

Michael Santarcangelo:

Well, yeah. And let me just make a quick comment too, right. Because you pointed out something I think is really important, and we will definitely not turn this into a healthcare podcast. But I spent a long time studying healthcare. What’s interesting is you have people still don’t move, because for some reason we’ve never figured out that if we decouple healthcare from employment, the problem seems to go away. But we didn’t. We still tightly couple healthcare with employment, and therefore we’re going to keep seeing these things. What I think is a really interesting unintended consequence was, this was supposed to decrease waste, fraud and abuse. And it has done nothing to benefit that. By the way, I’m sure somebody somewhere is going to disagree with me and that’s cool, you’re welcome to.

Michael Santarcangelo:

But if you go to the typical doctor’s office 20 years ago, they could tell you what a cash price for something was. And on average, I want to say they had three or four rounds with an insurer to get something covered. The last time I checked, it was like 11. 11 bounces back and forth. And if anybody actually opens their EOBs, their Explanation Of Benefits, a lot of times it was denied. And then you call, and oh, our bad, it was coded wrong. Oh, okay, we’ll approve that. These games happen all the time. So, it’s interesting to see your point. What HIPAA’s really done, is it’s changed our focus on privacy and security. And it was built into it by design, but that was never what it was stated to do. And yet that’s almost exactly what it’s done. So I think it’s a fantastic consequence. I think the question is, what do we do about it.

Gabe Gumbs:

Well, I think you’re touching on part of it, right? That privacy by design, that is language that is littered all throughout GDPR. It has now become just kind of really common place in our lexicon when talking about security in privacy. Talk about decoupling things. You can’t decouple those two things, right. You cannot have privacy without security, but you can have security without privacy. And that’s been decoupled for quite some time. And so, do you think most companies incorporate privacy by design at all today, even inadvertently? Where do you see that?

Michael Santarcangelo:

It’s a loaded question, and I’ve got some things to unpack it. But here’s the quick answer, no. I don’t think companies do. So I think the question to ask then is why? Why don’t they? Why haven’t we seen more of that? But let me bring it back. So in 2000, I actually went to the FTC hearings on privacy, a colleague and I. We took the train. I was in New York City at the time, took the train down. And they… we showed up, right. And so they had to be public. And they were like, you’re here for the privacy thing? Seriously? Okay, cool. Yeah, we got some chairs for you guys. Come on over. It was really kind of fascinating. And I recorded it. And I’m pretty confident in a storage facility, I still have the cassette tapes, right. This is 2000, it’s cassette tapes.

Michael Santarcangelo:

But here’s what I… The thing I remember the most was, there was a guy, his name was Ted. He worked for Excite at Home. If you guys remember… I mean, you got to go into a way back machine. But they were a company. And he said something to the effect of, well we’ve got terabytes of data that we don’t know what to do with, or something to that effect. And one of the other folks, one of the privacy lawyers said something to the effect of, then delete it. And he said, oh, why would we do that? Just because I told you we don’t have to do with it now. Doesn’t mean we don’t think it’s got value in the future. And it was like that, oh. So people are amassing all of this data and they don’t know what to do with it yet. Okay, we’ll flash forward now. They know what to do with that data. They love it.

Michael Santarcangelo:

But so here’s some interesting things, because you brought up GDPR. So, there’s a paper, I just saw it yesterday, and I put this out on LinkedIn. So GDPR says you have to have the ability to opt out, and if you opt out can’t be tracked. Do you guys, either of you know how many people have opted out?

Gabe Gumbs:

Probably none.

Michael Santarcangelo:

12 and a half percent. So better than they expected, to be fair. And the neat thing is, this is… So if we start thinking about this in economics terms, right. Which is still my background. It was a better choice, right. So, the choice options, if I am privacy seeking consumer, and I used to have to use different browsers and block cookies and check things and whatever. Now I just click a box and say cool, opt out. That’s a huge benefit for them. You want talk about unintended consequences? So here’s the balance, the other not 12 and a half percent, they are now more persistently tracked.

Michael Santarcangelo:

So we went from where it was very fragmented. It was very difficult to track people, and their behaviors, and their actions, and to turn it into anything meaningful. And we said, well, you’re going to have privacy by design and people can opt out. Yep. Okay. But a low percentage opt out, and you can look at that positive or negative. I don’t look at that as a failure. I’ve just looking at it as it is, it does this. So, here’s a different question. Do people want privacy, or do they want anonymity? This was a conversation I used to have back when I lived in New York City.

Michael Santarcangelo:

If anybody’s ever commuted to any sort of a city. It’s always been fascinating to me, the people that get on the train every day. And typically, right… So I lived in New Jersey. I’d get on New Jersey transit. We usually stood at the same place on the platform. I was usually like second or third car. You kind of… especially in the morning crowd, you know where you’re going to sit. And the reason I’m setting it up that way is, Gabe, you may not have known me, I may not have known you, but we knew to wave at each other every morning because we saw each other every morning. And you got to go back now with me 20 years. So, you probably had your copy of the Wall Street Journal, or and whatever your Jersey paper was, or the Times, or the USA Today, or whatever you wanted to read. And that’s kind of what you read on the way in. And cell phones were there.

Michael Santarcangelo:

But the conversations that people would have on their cell phones with their doctors about their diagnoses. People giving out, things today that would make us cringe from a personally identifiable information perspective, was routine. Why? Well, because you didn’t really know me. I didn’t really know you. I didn’t really know where you lived and vice versa. And unless I was really some sort of a malicious person, who would do that. And so you think, well that’s a different situation. No New York City, right. New York City, by the way, where people 20 years ago were like ripping labels off of boxes and blacking things out and shredding stuff. The conversations you could hear people having in the hallways of buildings. Again, very highly personal, highly private stuff, but essentially wide open. Why? Because I think a lot of times we confuse privacy with anonymity.

Michael Santarcangelo:

And so now what happens is, is it that people were expecting privacy, or if they don’t know what to say. And really what I think they want is they want trust. They want some level that if you have my information, that I can trust that you’re not going to use it in a way that I don’t want you to use it. But by the way, and that there’s another point here to make, but go look at it and I… Let me see if I can find the number here real quick. Yeah. Here, I found it. Number of consumers. How many consumers, and this is a 2019 survey. How many consumers want personalization? When they buy something online or when they’re working even offline, when and in a retail setting? How many want something that’s absolutely personalized for them because it knows who they are?

Gabe Gumbs:

I’m going to say everyone.

Michael Santarcangelo:

63%. 63%, that they want that. They strongly want that. They crave that. They expect that. Now back when I was at Accenture, we saw the same thing in 2000…. Well, let’s see, I left in 2000. So, somewhere in ’98, ’99, there was an Accenture labs group that had done similar types of work. So here’s the question then, right. So, when you say privacy by design… So first of all, I think there’s a lot of confusion when we say, right… Because to your point, there’s security, there’s risk, there’s privacy, and there’s compliance. They’re all related. Oh wait, let’s go ahead and add in governance too. Okay, so wait a minute. Where does all this fit? And then there’s the technical challenges. Data, data everywhere. And some of it I can read, and some of it’s corrupted, and most of it I have no clue.

Michael Santarcangelo:

And then we have competing priorities. So is my job as a business, to protect the data? Or is my job as a business, to use the data as best as I can to figure out where to go, right. Even General Mills. General Mills, they make cereal. And for years the way that they got data was going to the Nielsen Group, and doing some surveys. And they’ve said, you know what, we can do better now. And they’ve hired a new position, and they have a C level position reporting to the CEO, to take a look at data and analytics in the new market to better understand the consumers, and how to position things that the consumers want. So, to go back to your question… And the reason I called it a loaded question is privacy by design, it sounds good. It sounds smart, when we’re talking about it in a bubble. But I think if we go back out and say, well, why isn’t it happening? Right. And I didn’t press it on what did we really mean? Because I think the question to ask is why, and where, and where does it fit?

Gabe Gumbs:

All amazing points. I would have thought particular, that more people would want to have things tailored to them. I personally, I respect my own privacy quite a bit. And I do so in a number of different ways. And I’m again, maybe to a fault sometimes, a big believer in if I’m not the… If I’m not the customer, I’m the product, right. I’ll [inaudible 00:21:18] him say this all the time. And I understand, that in order to trade some things off… Like, I’m willing to trade some level of privacy for largely not convenience, but oftentimes for things like personalized experiences. And when I saw privacy, I will let Amazon analyze my behaviors, right. Like yeah, I buy this, I buy that, that type of thing. So that they can help me make better purchasing decisions. When I say better, I mean, show me things that I care about. I’m okay with that.

Gabe Gumbs:

I think what I still don’t see yet is, a better framework for both these organizations as well as individuals, to be able to explicitly trade on their data, if you would. Because I’m going to agree with you, I don’t think most people… I don’t think most people even understand the difference quite frankly, between privacy and anonymity, right. How many times have you heard the, well if you’ve got nothing to hide, then why do you need privacy? It’s like, well that’s not what privacy is, right. [Crosstalk 00:22:25] Yeah. And so, I don’t even think they understand that. So, with all of your background in privacy and security, and you’ve obviously been doing this for a really long time, what are you up to these days with Security Catalyst? That’s the organization that you run now?

Michael Santarcangelo:

Yeah. And it’s been kind of fun, and thanks for asking. The thing that’s been neat about Security Catalyst is… First of all, I want to just make something clear. Catalyst was the name that was given to me. I originally… It started as the Michelangelo Group, and then, I tried like… the branding thing. I did this bold security expert idea. Decided… I mean the bold thing I like, but I didn’t really want to be an expert. And I know, our industry has that whole, it’s part imposter syndrome and part meritocracy. We say, you can’t declare yourself an expert. And by the way, I agreed with it. I bought it on it.

Michael Santarcangelo:

So here’s what happened. I was working with a group of people and they said, dude, you’re total catalyst. And I said, what does that mean, right. And I went out and looked at it, and that was the birth of Security Catalyst. And that was… I mean, we’re still going back 20 years now, I guess about 17 years on Security Catalyst. The whole goal that I’ve always had, is how do you reduce friction in our industry? So, I’ve routinely worked with vendors that have good solutions, and security leaders in their teams that are solving the right problems, and they want to figure that out.

Michael Santarcangelo:

About maybe 15 years or so ago, I got invited to work with a Fortune 10, to start training their risk team on how to communicate differently to the business. And that started this really cool… And I’ll make it quick, cascade of events where I really started paying attention to how we communicate. But my goal wasn’t to say, well this is how I do it, and you can be like me, because that’s not helping anybody. And I get really leery of that stuff. So I said, let’s go look at the tenets of effective communication, and what they are and how they can do it. And so I’ve been studying that for most of my life. I was always fascinated in that.

Michael Santarcangelo:

But what I started doing was creating models and frameworks, so that other people could develop their own styles, but still communicate value effectively. Well, turns out that’s awesome, but then you have to start understanding value. And I learned something really cool about a decade, decade and a half ago now, which is if you’re trying to communicate value to somebody, but they are out of sync, out of touch, disconnected from their own value, they will struggle to see yours. So that leads me to start looking at, well how do we help people reconnect with their value?

Michael Santarcangelo:

So, that then… That got me in a bunch of communication leadership stuff, and five years ago, November 2015, I was at an event and it was the birth of what we call the Straight Talk Framework. I had just given a talk, and one of the sponsors got up and said, hey I’m Tom, and I’m here to sell you. And everybody checked out instantly. And the resulting conversation helped me realize that in a security space, we have as many challenges communicating inward, as a lot of the vendors have communicating to us. And so what happened was I really started digging in on that, and over the last five years I developed out the Straight Talk Framework, which is something I happily give away for free.

Michael Santarcangelo:

And it started with five questions. And by the way, this is not one of those stories like, it started with five but now it’s 500. It started with five questions that I have now realized, set up a pretty good value proposition, or what we call a potential value. And then I had already done the work and how to articulate and communicate their value. The missing link fell into place last year, and it was how do you achieve that value? How do you actualize that? How do I help you execute? And there’s a really cool corollary I figured out this year. Think about this guys. How many projects have you seen, I’ll say that go sideways. So, we’ll still pat ourselves on the back and say it was a success. But if we’re honest about our assessment, it was under scoped, right. So what we delivered with under what we scoped, it was over budget. It was over time. Oh.

Michael Santarcangelo:

So if we look at that from a value perspective and we’re really critical, did we deliver the value that we wanted? Critically, most cases, no. You know what the key to that is, executing rapidly. Oh by the way, you want to know what the key to telling a better story is? Understanding your context and value. You know how you do that, with a better story. So to answer your question, what I’ve been up to, is figuring out how to help do that more and more. And it’s been interesting.

Michael Santarcangelo:

What my clients have told me is, they rely on me to help navigate the business and political landscape, so that they and their teams can focus on solving the right problems. We can’t solve 30 problems a year, but if you pick the right three, you’re going to create dramatic value and that’s going to deliver those business results. And what’s really neat, is that kind of matches into identifying the right potential, executing against it ruthlessly, and then capturing those right artifacts and telling that story better. And that’s what I get the chance to do. And I love it. I love it. And I love our industry, and I know that we can look at it and say, well not much has changed in the last two decades. And as much as that’s true, it’s all different. And that’s so freaking exciting.

Michael Santarcangelo:

Security 20 years ago, if you told somebody you did security, they’d laugh at you. There were zero security startups. There were no conferences for security. And I say no, there were three, right. Now, there’s so many, there’s too many. And everybody gets a part about that. That’s fine. It’ll settle out. This is a great time. Security’s on a big stage. People are interested. They’re asking these questions. And so, what I get to do with Security Catalyst and the newer version, which we call Straight Talk Works, is I get to go help people solve those challenges.

Michael Santarcangelo:

And if you will allow me, what I like to do is, I show them what they’re like. In fact, I spent some time working on a purpose statement, and if you’ve never done this, do it. You’re going to resist it like I did, and you’re going to say, no, no, I got it. Like I did. And then when somebody asks you pointedly, and you kind of stammer over it, but here’s mine. And I didn’t follow the Simon Sinek formula, but I followed my own. I love it when somebody sees something remarkable, or great in themselves that inspires them to realize their untapped potential and create a story worth celebrating.

Michael Santarcangelo:

Guys, we deal with so much negativity, and such of the downside of risk and security, that what I want is, I want love over fear. I want unity over division. And I want people to see that they’re doing great stuff. And it’s that chance sometimes to see the situation as it is, and to understand the value. And instead of feeling beat up that we didn’t get 20 things done, or 200 things done, feel great that you kicked ass on three things that moved the needle. That you felt good about. That’s what I get to do. I get to help great people doing good work, see it. I’m not there to tell them they’re wrong. I’m there to booster them when they’re right, and help keep them moving in that right direction. And I am so grateful for that every day.

Gabe Gumbs:

You know, I think some people might hear this conversation and think, aw man, that sounded so squishy, and lofty and all lovey-dovey. But here’s what I want to say about that, which is having been in this industry is… just about as long as you have been. The fear, uncertainty, doubt, the loathing in this industry, does bring a lot of folks down. Much like yourself, I speak to a lot of people every day about their security and privacy challenges, every single day. Most of them don’t know what to do. Most of them don’t know where to start. Many of them have an idea of what they want to do, where to start, but they don’t know how to articulate their pain. And so, it is an important thing to be able to have a comfortable environment where you can share those stories and be able to express those things.

Gabe Gumbs:

I’m going to… So next week is RSA, and in preparation for that show every year like I’ve been doing for, I don’t know how many years now. I’m an old crusty RSA veteran at this point. There’s a talk in particular that I’m interested in seeing. Fear and loathing in cybersecurity by Dr. Jessica Baker. It is one of the few talks there I think… Maybe because this year it’s focused on the human element, that I think if you can, and you’re going to be at the show, you should definitely go and see. We are still so mired in all this. Aw, it’s going to be fines, and you’re going to lose your job, and people get… So much negativity, when in fact solving these problems around these big hairy card problems around privacy and security, we should really try and focus on how that makes people’s lives better.

Michael Santarcangelo:

Yep. I completely agree with you. In fact, if you allow me to editorialize quick, and I know we’re up against the heartbreak here, but. Calling it the human element, calling it layer eight, any of those things, guys, that is a disconnect, and it’s a dissonance. And I get it, RSA did it, whatever. Cool. It’s just people. It’s people do business with people. We do business with people we know, like, and trust. And we solve problems with people that we know, like, and trust. And if we go in and say, okay, I’m from security, and you people are wrong, and you don’t understand, and I don’t get it. We’re going to keep getting what we’re getting. The minute you turn around and say, tell me what you’re doing, and how I can help you do it better, and in a way that protects it.

Michael Santarcangelo:

Because by the way, our customers are expecting us, right… They’re trusting us with their information. Whether that means privacy, anonymity or whatnot. Because, go back to your point, and I’ll make it quick, about Amazon. You don’t mind Amazon grabbing that data on you and helping you make better decisions. Great. What if they were also selling that? Well, now you’re not so happy, right? And this could take us in a good conversation around Facebook, but people are trusting us as a business to do something. And so, if you position yourself to say, I can help you solve that challenge in a way that makes our customers happy, and makes your job easier, and you can follow through on that. There’s nothing we can’t do in this industry.

Michael Santarcangelo:

And I’ll leave you with this, twice now, three times now. I have actively tried to get out of security. I can freely admit now, I was in a really long depression for about almost a decade. It was kind of terrifying looking back at it, and it’s a conversation for another day. But yeah, man, this is a negative place, and a lot of us burn out. I think what’s happened to me is, I’ve reframed and I’ve looked at it. I see the bright side. There’s so much to do, and you’re right, it sounds aspirational and squishy. Except for, I can prove it every day, and this is the best place to be.

Gabe Gumbs:

I love it. I love it.

Cameron Ivey:

Well Mike, I really appreciate you coming on the show. I can’t wait to have you back again. Any closing thoughts before we wrap up?

Michael Santarcangelo:

Yeah, we need better conversations. If you were to ask me, what do I want for the future, or what do I want… It’s let’s go have those conversations. To your point, let’s stop talking about fines and penalties. Let’s start talking about harm. Let’s start talking about expectations. Let’s get real. Let’s get specific. Let’s clarify the problems that we’re trying to solve, and get people excited about that, and get them fired up about where this goes. And then I think the solutions start to have themselves. So instead of always telling everybody how it’s going to be, why don’t we flip it, and bring it around differently? And I think we’re going to see a much, much better return on our efforts.

Cameron Ivey:

Yeah, that’s a great point. Thank you so much, Mike. It was honestly just intriguing, and on my part to just kind of sit back and let you and Gabe converse on these topics. And I think, like you said before that there’s plenty of episodes where we can dive deeper into a lot of these things, and I’m really looking forward to doing those with you and learning.

Michael Santarcangelo:

Yeah, I’ll tell you what. Anytime you want me back, Cameron… I’ve enjoyed doing this. Gabe and I love these types of conversations, and I’ve enjoyed… Gabe and I’ve had a lot of time in person to have these types of conversations. And that’s the rest of it too. There was some stuff that came out, so if we want to talk about it in the future, let’s talk about the number of people who said that they can’t, right. Maintain these privacy standards, they can’t maintain compliance. Let’s go talk about what the fines have or haven’t done, and let’s really try to dig into the problem that we’re trying to solve. But let’s go look at some data too, see what we see out of it. Anytime you want, my friend, I will come back. This’ll be a fantastic conversation to have and thank you for giving me… Thank you for giving me a chance to reflect back over two decades of this. I don’t think a lot of us do that. No, but Cameron-

Cameron Ivey:

No, you can hear the passion. You can hear the passion, and it’s inspiring on my end. Someone in the industry that’s not as knowledgeable as the two of you. But man, it’s the passion is just… it’s awesome to hear and listen to. So, I do have one question before I let you go, on my end. And I love asking this question. But, what are you most excited for, being 2020 and beyond for data privacy? What do you look forward to for the future of this?

Michael Santarcangelo:

It’s going to seem counterintuitive, but I kind of like the fact that now we’re starting to see legislations that put some brakes on it, so it’s not a runaway train. And that’s great. And so… It’s like where I was just kind of saying at the tail end of Gabe’s last question with, I want more conversations. What gets me excited about it, is that we’re at a place where we can have this level of conversation. We’re at the place where we can sit down with the executives and the boards, and say okay guys, what’s the problem we’re trying to solve? And instead of just doing, well I don’t know, we got to be compliant. What do our consumers expect, or not.

Michael Santarcangelo:

We have a generation, or I guess maybe two now, of people that have lived with technology and they see it so differently now. And their expectations are different. So, McNeely said all those years ago, there’s no privacy, get over it. I think to some extent that’s probably still true. I mean, you watch any of these TV shows today, what hackers can do. Those of us in the industry know, it’s largely fictionalized and terrifyingly accurate at kind of the same time.

Michael Santarcangelo:

And so… but I think it doesn’t change. There’s still some stuff there to be had. And so what gets me excited, and again I’m contrarian on this is, I want more conversations of harm. I want more conversations of nothing bad has happened. But keep in mind, it doesn’t mean we’re a failure. Nothing bad has happened. Like guys, we’re doing a great freaking job, and therefore nothing bad has happened. So great, let’s recalibrate. How do we join forces? How do we… Let’s talk about privacy by design, right. So, what gets me excited is, I think we can go have legitimate conversations now. Where it’s not, I have to comply with the standard, or I have to comply with a regulation. As opposed to a, how do we do this? This is right for our customers. This is right for our clients. This is right for our employees.

Michael Santarcangelo:

Also, I don’t have to own it all. Just because I’m in security risk or privacy. So how do we do it across the company? Because the folks that we’re working with, they want this too. And if we shift our approaches, and use different language, and get people excited, we’re going to find that we can do it as a team. Because it’s the right thing to do. Because people are excited about it. Because it makes a difference. Oh yeah, NPS will also be compliant. And yeah, maybe you’ll be able to differentiate yourself. But you know, 20 years ago if we said, can you differentiate yourself based on security and privacy? We would say, oh, one day. But reality, no. What do we see in 2020 and beyond? Absolutely. It’s a requirement a lot of times, that’s compelling.

Michael Santarcangelo:

And I think it’s the beginning. And yeah, there’s going to be growing pains, and questions that are… 500 questionnaires. That’s nuts. Great. So what has me most excited. Now we can go have real conversations. Now we can collect real data. Now we can analyze real harm, real sentiment, real problems, and let’s go pick the right ones to solve. Oh, come on. That’s fantastic.

Cameron Ivey:

I love it. So, I’m just going to go ahead and claim you as a recurring guest. And we’ll-

Michael Santarcangelo:

I’ll tell you what. As often as you want, as long as people don’t get tired of me. And happy to pick topics and dissect them, or look at them differently. And kind of think about it that way, because that’s how I like to do it. It’s… I used to say, I never set out to be contrarian, or provocative. I always thought to be provocative you had to be a little to smash mouth. And what I’ve realized is no, just go see it different. I’m very interested in life, just seeing things as they are. And if you could show me something that convinces me to change my opinion, I’m happy to do it.

Cameron Ivey:

Yeah. We’re here to challenge it and just make it better. So, I think you hit it right on the head. And Mike, thank you so much for your time. And ladies and gentlemen, if you want to find Michael. Where can they find you at?

Michael Santarcangelo:

SecurityCatalyst.com or at StraightTalk.works. On Twitter, I’m @Catalyst. I got pulled into that a long time ago. And on LinkedIn, you can look me up for my name.

Cameron Ivey:

Awesome.

Michael Santarcangelo:

Find Cameron or Gabe, and you can find me.

Cameron Ivey:

Yeah. Well we’ll see you next time and thank you again so much.