RSA Roundup Podcast Episode with Gabe Gumbs and Cameron Ivey

Cameron Ivey and Gabe Gumbs discuss their experiences and takeaways from RSA

Highlights include:

• Homomorphic encryption and differential privacy controls
• Data privacy as the hot new focus in data security
• Decrease in Data Loss Prevention (DLP) branding but rise in Privacy branding
• Machine learning’s role in data security and privacy
• The Human element in data privacy

Listen to the podcast on iTunes and leave a review!

Find us on Anchor, too.

Transcript:

Cameron Ivey:

All right, ladies and gentlemen. Welcome to another episode of Privacy Please. I’m your host Cameron Ivey. With me is my wonderful co-host, Mr. Gabe Gumbs. Gabe, what’s going on?

Gabe Gumbs:

Hey. Hey, hey, hey. Good afternoon, Cam. How are you? Good to see ya.

Cameron Ivey:

Good to see you. This episode is special. We’re going to wrap up around RSA Conference. It was for February 24th to the 27th. It was the 29th annual RSA Conference. It was held at the Moscone Center. It was in San Francisco, California as usual. A group of 36,000 attendees descended down to the center to explore the human element within dozens of sessions held by 704 speakers and the booths of 658 exhibitors.

Cameron Ivey:

Spirion attended with the intention to gather information, obtain leads and announce new products to the cybersecurity landscape. It was pretty neat. The conference was really fun. We’re just going to kind of wrap up and touch on some big key points there. The first one for you, Gabe, is let’s talk about market trends and what we observed. Let’s go onto the homomorphic encryption and other differential privacy controls and kind of touch on that a little bit more.

Gabe Gumbs:

It’s a big mouthful. It was, correct me if I’m wrong, I mean I’m an old, crusty RSA veteran. I think this was, well, I’m not going to see the very first one I went to, but suffice to say, it was several presidents ago. I believe this was your first one though.

Cameron Ivey:

It was my first one. I’m a newbie.

Gabe Gumbs:

How’d you enjoy it?

Cameron Ivey:

It was fun. A lot of InfoSec people, a lot of people from overseas. I just thought it was a great exposure to the atmosphere around data security. I wish I would have been able to see more or actually at all see any speakers or hear any conferences. I wasn’t able to actually do that. I was too busy.

Gabe Gumbs:

I hear you there. I was able to take in a couple of talks myself, maybe a little under a dozen. They were pretty good.

Cameron Ivey:

You seemed pretty busy. You were being pulled left and right.

Gabe Gumbs:

I’m usually pretty busy. It’s always a crazy show. There were meetings and press interviews and all kinds of shenanigans, you name it. It was good.

Cameron Ivey:

Anybody knowing that IBM and I think a couple other large companies pulled out, it was still extremely crowded and busy. Way to miss it if you weren’t there.

Homomorphic Encryption and Differential Privacy Controls

Gabe Gumbs:

No, I hear you there. But, here we are. We’re going to give a wrap up for the folks that couldn’t make it. We’ll also post some additional information on the blog. I’m sure about that. But your first question, you mentioned homomorphic encryption as kind of a trend that we did observe there while we were at this show. One of the things that seemed to kind of be echoing across the show floor as well as in some of the talks, not just homomorphic encryption, but other differential privacy controls. Those things were really were, I don’t want to say front and center, but they certainly made an impression on me during the show.

Gabe Gumbs

I’m not sure how much of that was just due to the overall theme of the human element, which would make sense. A number of these types of controls they’re geared towards protecting the privacy of organizations. In particular you look at homomorphic encryption, you looked at format preserving hashing and those things-

Cameron Ivey:

Stuff like data masking and tokenization.

Gabe Gumbs:

Exactly, data masking and tokenization, those were some of the more traditional downstream controls that one might apply to data sets of this type. But what we are seeing now where more controls that are kind of aimed towards helping organizations preserve the usefulness of that data while protecting the privacy of individuals.

Data Privacy Takes Center Stage

Gabe Gumbs:

I think we’re going to see quite a bit more of those types of technologies in the marketplace in general. What I would call, or I think what the market in particular would call, kind of the privacy tools, privacy solutions, privacy technology if you would. In fact, minus squirrel moment, because I’m always a big fan of going to the Innovation Sandbox, there was a privacy solution that won that this year. Privacy was all over the place at RSM.

Cameron Ivey:

That should have been the topic of RSA.

Gabe Gumbs:

I mean what was it not though? I mean, the theme was the human element. Ultimately, what we talk about all the time on this show when we talk about privacy, we’re talking about the human element. We’re talking about protecting the privacy of people. Not protecting the data of companies, some random company here and there. I mean, of course those things are important. It’s certainly important to those organizations, but the privacy of the individuals that are affected by these things, that’s that real human element.

Cameron Ivey:

That’s great.

Gabe Gumbs:

You know what? I probably should back up and maybe define a couple of terms because I have a bad habit of doing this.

Cameron Ivey:

That would be helpful.

Differential Privacy

Gabe Gumbs:

In feel like I throw out differential privacy. What is differential privacy even? Strictly defined it’s a system for sharing information about a data set by simply describing the patterns in the data set without giving away more details about that data set. A good way to think about this is if you take the healthcare industry for example, they share a lot of data sets openly with the public and with other universities or with other government entities for the purpose of doing healthcare research. In order to do that healthcare research and still preserve your privacy, they have to remove the identified individuals from those things. Differential privacy offers systems and tools for being able to do exactly that.

Cameron Ivey:

Awesome. Thank you. Let’s move on to the next bullet point. The number of vendors labeling themselves as data loss prevention tools, that’s DLP, is down over previous years. Only 64 of the 658 exhibitors labeled themselves as a DLP product. Let’s dive into that a little bit.

Decrease in DLP labeling

Gabe Gumbs:

That is an interesting market trend that we did observe, right? What does that mean? Only 10%, I call that a fair number. Is this one of those things where the trend of DLP was hot and so everyone was jumping on that wagon and now they’re kind of jumping off of it because there were some missed expectations around that?

Gabe Gumbs:

Here’s what I’ll say about that, again when it comes to that human element, I believe that focus is shifting strictly from just protecting data from escaping an organization. Again, still a priority, but there’s a very big difference between that data security element and that data privacy element. DLPs in their current incarnation aren’t really designed strictly speaking, or even explicitly speaking, for preventing the loss of privacy.

Gabe Gumbs:

I’m drawing the line between data loss versus privacy loss, right? One of those things is the organization that I trusted with my data, they didn’t protect it. Some either intentionally malicious or accidentally malicious actor got their hands on it versus a privacy incident, a privacy breach where I didn’t consent to my information, excuse me, being shared with another organization. Today’s DLPs just aren’t really designed for that. Is it surprising that the trend of folks kind of throwing that term around, is it there any longer? I’m not personally surprised by that.

Cameron Ivey:

You’re saying it’s more on purpose more than ever because basically from what this is saying, there’s more DLP products that were there that just didn’t deem themselves as solely a DLP.

Gabe Gumbs:

Or the DLP products that were calling themselves DLP products maybe really weren’t and now they’re kind of. I don’t really want to offer some prophetic statement on that. Again for me, the thing that really stood out there was it doesn’t address privacy. They’re not kind of aligning themselves with protecting privacy when they can’t from that perspective. Just an interesting observation.

Cameron Ivey:

It’s super-interesting, obviously. You’ve gone 20 years now. Did you ever see this kind of thing becoming such a, I don’t know, low commodity? It just becomes something that people just kind of wean off of. Is that just how it works over these 20 years? Is that the trends kind of cycle up and down? What have you normally seen?

Gabe Gumbs:

You nailed it. It’s an ebb and flow of these things as business concerns ebb and flow and the regulation landscape ebbs and flow. Vendors attempt to solve problems for their customers where they see their customers struggling with things. The struggle certainly with data loss hasn’t gone away, but there’s an increased focus. It’s the entire reason we have these conversations weekly around privacy. There’s certainly an increased focus around this topic and people in particular. I’ll just keep saying it since it is an RSA wrap-up show, that human element. That human element isn’t talking about random data files getting out or data in general. We’re really focused on people.

Cameron Ivey:

That’s a good point. I had mentioned earlier there was I think 700 plus speakers at the show. I think were you part of at least one of those?

Gabe Gumbs:

I was not. Our good friend Scott Giordano … shout out to Scott Giordano.

Cameron Ivey:

Shameless plug.

Gabe Gumbs:

Yeah, it is. Scott Giordano was actually. I think his talk is available online to kind of review. He did some speaking on the topics of privacy and specifically from his point of view. He’s a privacy lawyer. He did a fair bit of education on those topics. I mean if I’m not mistaken, Scott’s on the road today. He’s in Atlanta educating some more folks on that topic as well too. I didn’t give any talks this year.

Cameron Ivey:

I thought you did.

Gabe Gumbs:

No. I don’t know if I submitted to RSA this year. Although, shameless plug time, I am speaking at the end of this month down at InfoSec World in Orlando. I’ll be there talking-

Cameron Ivey:

My hometown.

Gabe Gumbs:

… coincidentally not about privacy at all. I’m actually talking about some other security trends that are fairly unrelated. We’re going to be digging into to the exfiltration problem a bit. We’re going to touch on privacy though, but that talk in particular slightly different.

Rise in Privacy branding

Cameron Ivey:

Okay, very cool. All right. Let’s move on to the themes, the overall conference themes. I’ve got a few here. Of the 658 exhibitors, 106 self-identified as privacy organizations. Let’s touch on that.

Gabe Gumbs:

Yeah. That feels like the opposite side of the coin from the number of people who called themselves DLP.

Cameron Ivey:

It’s flip flopped.

Gabe Gumbs:

Right. There’s a flip flop there. Maybe what they’re recognizes is, “Hey, maybe we are solving for these problems.” What I can tell you is there certainly was a massive uptick in the number of folks that are aligning themselves with that problem and trying to solve for it in any number of ways. There’s so many different ways that this problem needs to be addressed. Fundamentally, we have some beliefs around where one begins with that. Some of our past guests have talked about these things, right?

Gabe Gumbs:

If you take, again, love the Innovation Sandbox. If you take last year’s winner, they were an inventory solution, right? They were a technology inventory solution. The basis of many of the things that we do when it comes to protecting information, protecting privacy does really start with just inventorying things, finding it, understanding it and so forth.

Gabe Gumbs:

The flip side of that coin, 106 organizations we’re talking about privacy and identifying as privacy organizations. It was, again from an overall reoccurring theme in a conference, that wasn’t lost on me.

Cameron Ivey:

That’s smart. That was a smart move on their part.

Gabe Gumbs:

I mean, hopefully they’re genuinely attacking this problem. We need more people in the army trying to solve for this. I’m not offended by that.

Cameron Ivey:

I think we’re going to have a future episode with a special someone that I’m not going to mention yet, but we’re going to dive into there’s all these compliance laws and everything like that. But laws are lagging and the bigger thing is building a community with our leaders in InfoSec and guiding tech around data privacy. There’s a lot of companies in tech that don’t know how to solve for privacy. That’s going to be a huge topic we’re going to talk about. I think that’s going to be a really cool episode.

Cameron Ivey:

But that’s also a big point just to bring up that there’s a lot of companies out there that want to dive into this realm. Like you said, hopefully those companies are doing it for the right reasons. But, I don’t know. I don’t know if they truly are, but we’ll see.

Gabe Gumbs:

Yeah, it is what it is.

Cameron Ivey:

What’s that line? Eat or be eaten, I don’t know.

Gabe Gumbs:

One of those things.

Machine Learning and Data Security

Cameron Ivey:

In the past few years, machine learning was the hot topic, at least from your perspective because you’ve been there for like 50 years now or something like that. Is that still a thing and what problems is it solving? Are they introducing new ones?

Gabe Gumbs:

That’s a good question. That’s a great question. Here’s what I’ll say about that overall trend. We still saw large number of organizations introducing machine learning capabilities to the market. We equally have examined how ML can help solve some of these problems and have introduced that ourselves. I don’t see kind of the big fever pitch around ML as there was, which I happen to think is a good thing, right? I think there was this big marketing push by everyone to say like, “Hey, we do something around machine learning.” Because it was kind of hot and buzzwordy, but machine learning is only really good when it’s applied properly and when it’s solving a problem.

Gabe Gumbs:

The inverse side to that coin is A, machine learning isn’t the end all be all to us solving problems. But B, it can and does introduce some problems of its own, right? AI systems can propagate non-disabled behavior and bias at scale. That’s just the facts, right? Algorithms aren’t humans, back to that human element. As well intentioned as they can be, they can execute things poorly. Here’s a good example of that. There are commercial software packages out there that are currently in use by US judges to help predict likely recidivism rates. While that may be helpful in terms of kind of leveling the overall playing field when it comes to say properly applying justice, if those algorithms and those models are biased based on the data that they’re trained on, then the outcomes will equally have that similar effect.

Gabe Gumbs:

While I happen to be a fan of machine learning, I am a very cautious and optimistic fan. I am happy to see less of the big, “Rah, rah, ML is going to solve all your problems.” What I am hopeful for is that we will see more responsible, ethical use of algorithms, of machine learning algorithms going forward. I didn’t see a whole lot of talk around that in particular, but the fact that the pendulum is swinging away from everyone just making this claim of it’s solving their problems, I’m in favor of that. I’m highly in favor of that.

Gabe Gumbs:

Another good example, Facebook. Not to pick on them, but they are-

Gabe Gumbs:

… they’re relevant enough to this topic, right? They conducted some psychological experiments into user emotions and evaluating the influence of user’s emotional state by manipulating newsfeeds of almost a million people. They were kind of unprepared for the overall negative reactions that they were going to get just in terms of the press and how that helps set guidelines for future research.

Gabe Gumbs:

I can promise you this, as we see privacy regulations evolve, it is inevitable that privacy regulations will equally evolve and adapt to then addressing the biases that can be introduced by ML. We might be some number of years off from that, but we’re certainly well within your and I time frames for seeing those things.

The Human Element of Data Privacy

Cameron Ivey:

Awesome. Another question here. This year’s conference was about the human element. We’ve talked about it many times on this. How did you see the human element theme represented at the conference?

Gabe Gumbs:

There were a number of ways it certainly was on display. I think most of the top tracks were well geared towards sticking with that theme. But if I think about the technology side of this as well, there were a lot of solutions that were introducing, had introduced and/or kind of stepped up their games in the orchestration and automation space. As someone who has a bit of a religious slant on whether or not we have an actual people shortage problem in the data security space, I was kind of happy to see that instead of everyone thinking or orienting ourselves around, “We need more people. There aren’t more people,” we need systems that operate better for us. We certainly need to automate and orchestrate more of what these systems do. Not to be confused with simply, again, applying ML to things.

Gabe Gumbs:

But there were, and still are, a number of repetitive and routine tasks, not just in the identification of issues, but equally in the analyzing and the solving of those things. That was well on display at the conference as well. Everyone recognizing to some degree that orchestration and automation, while not our savior, certainly is useful in helping us solve those problems. What we saw were not just like the SOAR vendors doing this decision, the SOAR vendors, right? But, we saw technology across the entire stack introducing more automation orchestration capabilities. Again, big fan I am of those things.

Cameron Ivey:

Awesome. Just to kind of wrap things up, what’s the biggest takeaway from the conference and the trip in general? From your perspective what’s the best thing or the most exciting thing that you got to see that was different from these 20 past years that you’ve been?

Gabe Gumbs:

That’s a tough question to answer. I’ll tell you, my number one takeaway was I was happy that the number of people that did make it to the show made it. We’re obviously in the middle of a little bit of a crisis if you would across the world-

Cameron Ivey:

Don’t say it. Don’t say it.

Gabe Gumbs:

… with coronavirus. Yeah. I got to recognize it. I mean, we certainly can’t pretend like it’s not a thing, right? We’ve got a bit of a virus moving its way around the world. It’s causing a lot of panic. It was good to see the community come out and still share its thoughts and its knowledge with everyone else. There were, as you mentioned, there were some organizations that took the safety precautions and chose to make sure that they weren’t part of anything catastrophic. Which my take away, again, I’m just happy to see that the people that showed up, that best we can tell at this point, everyone made it home safe and healthy from that perspective.

Gabe Gumbs:

Things that excite me that this year’s theme was the human element and that privacy was on such huge display. Huge display is very, very emboldening for me. That was very positive. I appreciated that.

Cameron Ivey:

I know you’ve had some interviews. There weren’t any speaking points, but you had some interviews. Is there anywhere that people can listen to those? Do you have any sources that you want to shout out?

Gabe Gumbs:

Oh, man. There were a few indeed. Definitely a special thank you to Paul over at Security Weekly for having me on the show. I love sitting and chatting with that team. The list was fairly long this year.

Cameron Ivey:

We can put it in the notes.

Gabe Gumbs:

Yeah, let’s post them up on the follow-up blog to this. There were a few though. I sat in on a couple panels. Sat in with Paul and his team. Joe Pettit and the crew over at Tripwire and I had a great conversation. We met with Chris from Cisco also.

Cameron Ivey:

Absolutely.

Gabe Gumbs:

We’re going to post that one as well. Yeah, it was a great show. Every year it’s always a really good opportunity for me to equally catch up with my colleagues and peers in the industry. Yeah, let’s post those links of some of the other activities and the other speaking engagements that we participated in. Definitely got to get Scott Giordano’s talk up there as well. I think folks would be really interested. It was extremely informative. Scott’s super-entertaining for a lawyer I got to tell you. I don’t think most people see that coming, but he’s witty and ridiculous informative.

Cameron Ivey:

He is. Because sometimes lawyer talk can be a little dry, but at the same time he’s got a great personality to go with it.

Gabe Gumbs:

He does. Yeah, we’ll post all of that.

Cameron Ivey:

Awesome. Thank you guys for listening. Please share, subscribe. We’re on iTunes, Spotify. Look out for next week’s episode. We have our interview with Chris Leach from Cisco. He is the CISO advisor. That’s a great, great discussion that we had with him. Hope you guys are enjoying the content. If you have any questions, you can always email us.