Lessons in Privacy from Across the Atlantic with Richard Hollis Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Lessons in Privacy from Across the Atlantic with Richard Hollis

August 26, 2024 • Joe South • Episode 165

Send us a text

What happens when a seasoned American cybersecurity expert navigates the intricate world of European data privacy? Richard Hollis, with over three decades in the cybersecurity industry, shares his captivating journey from Washington DC's government projects to leading Risk Crew in London. Listen as Richard emphasizes the critical role of process over products in cybersecurity and offers a wealth of insights into the ever-changing threat landscape. Along the way, he recounts the unique challenges and personal experiences of living and working in Europe, shedding light on the cultural contrasts that shape global cybersecurity practices.

Imagine the personalized service of a cigar lounge in Germany and the stringent protections of GDPR — a stark contrast to American business practices and views on data privacy. This episode unpacks the cultural differences between Europe and America with vivid anecdotes and eye-opening discussions. We explore how European values around data privacy influence business operations and consumer rights, offering a fresh perspective on what Americans might learn from these practices. Richard’s insights help bridge the gap, revealing the importance of robust data protections in today's interconnected world.

Our conversation also delves into the urgent need for enhanced data privacy and cybersecurity regulations, drawing parallels to past safety improvements in other industries. Richard shares his candid thoughts on the influence of big tech companies and the current inadequacies in data protection measures. Reflecting on personal stakes and the emotional disconnect many professionals have with data security, we highlight the broader implications for both individuals and businesses. Don’t miss this engaging episode that combines expert insights with a unique cross-cultural perspective, offering valuable lessons for listeners on both sides of the Atlantic.

Chapters

00:00 Introduction and Appreciation for the Podcast
00:52 Richard's Background in Cybersecurity
05:45 Living in Europe and Cultural Differences
12:09 Being an American in Europe
16:00 Data Privacy and GDPR
20:12 The Lack of Federal Regulation for Data Protection in the US
25:14 The Historical Context of Europe Compared to America
31:20 The Impact of America's Size on Data Privacy Laws
34:16 The Need for a Ralph Nader for Data Privacy
36:07 Monetization of Personal Data and Lack of Accountability
41:37 Differences in Mindset: Americans vs Europeans on Data Privacy

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:53

How's it going, Richard? It's great to finally get you on the podcast here. I'm really excited for our conversation today.

Speaker 2: 1:00

Joe, thank you, I'm excited to be here. Great, I love the podcast Big fan and I really appreciate the opportunity to chat with you. Thank you, sir.

Speaker 1: 1:08

Yeah, absolutely. It's always refreshing to hear that people actually listen to the podcast and that they actually enjoy it. It's not all for nothing.

Speaker 2: 1:17

Joe, your work has not been in vain. People actually do listen. I certainly do. No, I am a big fan. I'm not overselling. I think it's really pragmatic and I find it hard it's hard for me, my age in cybersecurity, to find something pragmatic that's not trying to sell you a gadget or a gadget which it's not. So it seems to be very pragmatic advice I find on your podcast. Well done.

Speaker 1: 1:41

Well, thank you, I really do appreciate that. You know, it's been an interesting journey, you know, and I feel like this year I don't know what it is. I feel like every year is a different, you know, I guess like growing opportunity or growing season, if that makes any sense at all. You know, like this year I haven't looked at my numbers at all, you know, but like last year I obsessed over my numbers, you know, and this year I'm just focused on like, having good conversations, having people on that I want to talk to. I feel like that's made podcasts a little bit better in some ways.

Speaker 2: 2:21

I think you're right, joe. I think you know, the more you tend to look after it, you know, the more you have fun, the more it perpetuates itself. And one answers the other.

Speaker 1: 2:30

Yeah, yeah, absolutely so, richard. You know. Why don't we start with how you got into Richard? Why don't we start with how you got into security, how you got into IT? Take me back to when that was, and what was that decision like?

Speaker 2: 2:44

If you have video you can see I'm a really old guy and I'm good to be one of those old guys I didn't want to be. When you're growing up you always had that neighbor who you kick the ball into his lawn and you're afraid to ask for it back. That's the guy I'm starting to be. I've been 30 years in what is now called the cybersecurity industry. It was once upon a time computer industry, which was an extension from information security realm when we started to process sensitive information on computers. I was there. I was there, I saw it all happen. I was there. I was at that meeting. We had good biscuits but we did a lot of things. I wished in hindsight we could have done differently, but I've been in the industry for 30 years.

Speaker 2: 3:25

I started my career. I'm an American, I'm currently working in London and I'm running a company called Risk Crew and we are a product agnostic. You know fundamentals consultancy. We're small, about 35 people, and we preach the gospel according to its process on the product. It's the configuration of the firewall, the maintenance, the management, the patching. It's not the firewall itself, anyway. So we, you know when we do things like GRC, fundamentals lines to ISO or SOC 2, and out here it's NIST 2 and DORA. Now you know, through the risk assessments and supply chain, you know risk management strategies and all the way through pen testing and sexy things like routine testing. So I've been doing it, for the business is running for about 20 years.

Speaker 2: 4:17

But once upon a time I started in Washington DC, worked for government projects and I got headhunted by Lucent and Philips. They did a joint venture way back when on cell phones and brought me over and took me to Paris and did that for a couple of years until I thought I really wanted to start something by myself. So I started the business in London and that's it. We opened up the doors doing things like application pen testing, because we saw the game on an application level. We were early founders of OWASP and anything open source. We put our arms around it and say if that's what you can afford and that's't have to buy something, buy a product. So anyway, I've had a long.

Speaker 2: 5:01

But at the end of the day, joe, I'm a big picture song and dance guy. I'm a risk guy. I could rebuild my old laptop if I had to. But that's a big If I had to. It was pulling a lot of weight in that sense, as they say yes, I would know a firewall if you hit me over the head with it, but you'd probably have to hit me two or three times. I'm a big picture. What are you trying to protect? Why are you trying to protect it? What's going to happen to you if you fail? You know what's your appetite for risk. And one of these guys who I've always thought that cybersecurity is an oxymoron such thing as a secure computer computer it's identify, minimize, manage. So I spent a career doing that, truly helping clients do strategy with cybersecurity strategy and then filling out that strategy with controls and people process technology.

Speaker 2: 5:49

It's been a long road. I'd like to say it's been fun. It hasn't been as fun as I thought it was going to be in hindsight. Yeah, out here in Europe we have a really good view as a consultancy. That's not selling a thing. We have a really good view of the threat landscape. I really do feel in the position I'm in in my industry. I've got my finger, or at least we have a clear view of how threat actors are getting in and strong controls that you could do to negate that. So, yeah, it's been fun. Still is fun. It changes every day I come to work, which is a good thing.

Speaker 1: 6:23

Well, tell me about being an American and moving to Europe. You know I actually love Europe. Unfortunately, I've mostly spent, I think, pretty much all of my time in Germany. I've been to Ireland for 48 hours. I feel like I did the whole island in 48 hours. I went to Amsterdam, but I don't know if that really counts as spending time in the Netherlands.

Speaker 2: 6:52

No, it counts. That's a check in your passport. It counts In some places it counts for the amount of time you actually spent there, because you could have lost time there.

Speaker 1: 7:03

Yeah, for sure, you know, as someone that loves Germany, right, I'm trying to convince the wife that when we retire in like 30 years, right, hey, let's go over to Germany. Like, let's go to Europe, let's go travel over there. You know, and she's she's very against it, but she's also never been right. So what's that? What's that light? Because, and I I ask also because in America it isn't very often that we get Europeans right. But I remember the last time I was over in Germany, I went into a random cigar shop in Munich and you know, one of the people in the lounge there was three people in the lounge right, including myself. One of them was an American, born in Seattle, founded a company, sold it to Microsoft, moved to Germany and founded another company. He's getting ready to sell it again, right, so like, I'll run into Americans in Europe, like all the time, it seems, but very rarely do I get any run-ins with anyone from Europe in America.

Speaker 2: 8:14

I didn't have that experience the bulk of my professional life in the States, while I was born in the Midwest, but I ended up going to school in Washington DC, which was very international Georgetown American University, very, very international In fact. I studied international affairs and so I've heard, you know, you can walk down the streets of Washington and hear French and Portuguese and German spoken on the street. But I like to travel and of course Washington is a very international city because of all the embassies and the government seat, and I used to travel. I used to travel a lot, I loved it, but the first chance I got I wanted to get out. I was in the military and I lived outside of the US for quite some time and I think there are benefits that are not known until you actually receive them. And for me, being an American in Washington DC, inside that little DC bubble of politics and reading the Times in the morning and the Post at night, I was one of these geeks who would actually listen to McNeil-Lair on the weekends. I was just information-obsessed and yet felt like I knew nothing politically. Anyway, the point of that story is that I had the chance to go overseas and I initially went to Paris. I live in France. Now I have a business in London, my wife is French and my wife, who's French, frankly doesn't think very highly of Americans. You know what I can't say? I blame her outside of the obvious reason.

Speaker 2: 9:40

But in Europe I find there's a finer appreciation to a certain rhythm of life, the benefits of family, friends, food. I remember when I first moved to Paris as an American, I'd get there and I'd say, okay, let's eat, let's go do something. I was like, why do you want to do something? Let's go bowling, let's see a movie, let's go do this, let's go do that. And for an American it was about the quantity of how many things you could pack in a night, you know, and the French was very hey, ate, and that's it. You and I had to be reprogrammed as an american to live in a european culture. I live in france, in a small village. I gotta tell you the quality of life, like I said, the pace, the rhythm of life is a lot more real, you know, like from the fruits and the vegetables to how time passes it just. And as an American, that's not it Americans find. I find I was raised in the culture of. You know it's quantity not quality. And in Europe, I find the Europeans have a finer taste for quality over quantity and I know that's a cliche, but it's certainly one, for my age and experience, that is based on a certain truth. So I enjoy life in Europe.

Speaker 2: 11:07

It's not, I tell you, the hardest part for me as an American was starting a business, because I started it in the UK, which is supposed to be. You know, it's the same culture, divided by a common language, as they say. But you know it's the same culture, divided by a common language, as they say. But, you know, very, very different from how Americans do business, for example, the English.

Speaker 2: 11:25

I find just don't like to tell you no, and you know, as I'm moving in cybersecurity, I'm like, you know, can we help you out with pen testing? Can we do this, can we do that? Yeah, maybe Don't want to say no, and it's, you know we're in the States. Is, hey, you interested in getting some pen testing? No, no, thanks, okay, thanks, don't want to waste your time, you don't want to waste mine, but there's a certain politeness that's in a European business environment that I find, as an American, it's just like whoa, that was new. Sorry, it's been three years I've been asking you if you'd be interested in supply chain risk assessments. I think it would have you know, and you have to come to a sense to say, all right, you know I'm a nuisance. So anyway, that there's a lot of things that you know. After I've been over here 30 years, and after 30 years I'm looking around thinking I'm still, I still feel like an outsider here.

Speaker 1: 12:13

Yeah, it's really interesting the culture differences, you know, between Europe just overall and America, right, you know, when I went to that cigar lounge because I had spent a decent amount of time in Germany before that, you know, I think I spent probably eight weeks total in Germany before that. I spent probably eight weeks total in Germany before that, which is, which is a good amount, right For an American to make that kind of a journey to go there, you know, several times and whatnot. When I went to the cigar lounge, you know it was closer to like closing time, right, or or what it was was. They were closing early, but it wasn't posted online. So I thought that I was there, you know, two, three hours before closing. In all actuality, I had about 45 minutes, right, I didn't know, you know.

Speaker 1: 13:06

So I bought the cigars and I asked very politely can I smoke them in your lounge? You know, because I don't know, some lounges are different, right, they have different rules in America. You have to spend a certain amount. Maybe the lounge is only for members, all that sort of thing. He goes, well, where else were you going to smoke it? I'm like, well, I mean, I guess he goes. He's like Joe, it's 30 degrees outside. I'm not going to tell you to go outside and smoke a cigar. I'm like, well, that was kind of my plan and you know, the hospitality was something totally different. You know, if that was in america they'd be like no, we're closing.

Speaker 2: 13:40

You know yeah, there's that, there's this, that's. That's, I guess, what I mean in terms of the pace of life, the rhythm of life. We're not going to close the doors on it. You know, when you just bought the cigar, uh, we understand, and it's always in there. That's a good example. It's a really good example of the way businesses operate differently. There's more focus on people.

Speaker 2: 13:59

But I tell you, on the flip side of that though, joe, in terms of things like how people view, bring this closer to home in terms of cybersecurity, I find the Europeans in general have a very fine appreciation of privacy in general. In the States, you would have bought some cigars and within minutes, you would have been in databases across the states about cigar smokers. Are you left-handed, are you right-handed? Do you like these cigars? Do you like those cigars? In Germany, you walk into a place. You get a cigar. The fact that you like cigars is not going to be shared, as a consumer, with anybody else. It's just this data privacy is a big deal and, as American, I love that, because you know it's cybersecurity. I love that.

Speaker 2: 14:40

I talk to US businesses who have, you know, data is just a commodity, it's cash. Where over here? Data is not protecting data is not about ones and zeros. It's about this is data about people's lives, whether it's the kind of cigars they like or you know, or where their geolocation whether it's the kind of cigars they like or their geolocation where they were last week, or what kind of movies they like or Netflix to-do list?

Speaker 2: 15:10

It's a very more private as well as personal approach to both business and what I'm finding is security. People see data as a human thing and the right to privacy and these things that you see in GDPR the right to be forgotten, the right to this, the right to that it is seen as a fundamental human right that the data that businesses process, store and transmit on us, on their customers, isn't just given out willy-nilly, like it is in the States, frankly. So that's what I see and I appreciate both you know this, this pace, this rhythm of life, and also this focus on the fundamentals of privacy. I think the europeans got that absolutely right. We could learn a lot. Uh, as americans, we could learn a lot, because we just don't understand and you know what we have until it's gone.

Speaker 1: 15:55

Yeah, yeah, that's a really good point. You know, and being in security, right, I remember when GDPR was coming out and everyone in America was stressed out about it. It was on the news and you know, especially everyone in security, because we were paranoid that, you know, something would leave the boundaries and whatnot, right, but I, I felt like I was the outlier, right. I, I was the one that was saying man, this is, this is actually really great.

Speaker 1: 16:25

I wish that we had something like that here, because it, it gives the, it gives the power of that data, of holding that data back to the person that created that data, right, and that is something that is so foreign in America and probably 99% of people in America don't even realize that. You know you're on Facebook and it's free because you're the product, right? Cambridge Analytica set up an API with Facebook for a very, very small amount, like $15 or whatever it was, and they were able to harvest all of your data and guess what? They used that to sell to other companies, to use direct marketing against you. It's a dirty business, almost.

Speaker 2: 17:16

Well, okay, so yeah, you're making exactly. You know, for me you're just ringing a bell that I wish more Americans would. I live and work in Europe, where there is a finer appreciation to you. Know, personal data is just that. It's personal. This is my blood type, this is my DNA and as such, I have a right to it. I remember 20 years ago, when the EU was first coming together, that they were talking about literally.

Speaker 2: 17:48

Data should have a copyright to it. Like a songwriter gets a royalty for a song that he writes, so should a data subject get a royalty every time a business uses that data to make money. You're using my blood type, you're using my DNA to generate a revenue for your business. How come I'm not getting a piece of that? That logically holds up to me as a consumer, I'm thinking and, of course, the impact on our lives from our data being sucked up into this big vacuum cleaner of Amazon or Facebook or whoever, and it's resold and repackaged, or Analytica. You don't know until it's over and you've either lost a political party by that and you understand what the impact really was on the society, or, as you, as a net user. And when it's over, it's over. You can't get back privacy. It's a net user and it's, you know, when it's over, it's over. You can't get back privacy. You know it's a binary, it's a binary condition.

Speaker 2: 18:42

Once your DNA is out there, it's out there and that's it. You know, and I know so many people who've been in that, you know so many people who oh sure, I'll join up to ancestrycom here's a DNA swab and then suddenly they can't get health insurance and their kids can't get health insurance. And you're like, of course, don't you understand that's the way it works? You know that that data is sold to people who want to buy and understand who's prone to emphysema or or bronchitis or leukemia or you know.

Speaker 2: 19:10

But data privacy is just I, anyway, I I get the europeans. I think it is one of the pleasures of living and working here that there's a finer sensitivity to actually, you know, once we lose this data, we're, and so it gives it more of an importance to. I find American firms, even those American firms who are here working in Europe, they just see it as ones and zeros. Europeans see it as this is data about my life and it deserves I deserve for it to be processed or transmitted, you know, securely, and that doesn't mean it always is. That's far from it.

Speaker 1: 19:53

But there's that approach to it which I appreciate much more, as a cybersecurity has seen more revolutions, right kind of plays a role into it. Right, I mean, no one in America even thinks of the revolution that we had. Right, that was 300, 400 years ago, right, like, who cares about that? That no one knows about it anymore. If the, if the government were to tell us you know one thing about it, like we wouldn't be able to refute it really, because you know you're in grade school when you learn it, fifth grade, I don't think I remember anything about it other than it happened, you know, in in whatever year, right, 1776, right, that's like that's it, that's the extent. And we're it's so foreign to us to say that's not right, we have to go change it, like we don't even know how to go change it.

Speaker 1: 20:45

I was talking to a friend over in over in the uk and, uh, he was saying I'm very confused as to how america hasn't had a revolution yet. You guys have all the guns. How do you not have a revolution? Like, how do you not have the government that you want? And I was like, hey, man, we don't know how to do a revolution anymore. We know how to. You know how to protest, we know how to, you know, have some riots, but we don't know how to take it beyond. That, you know, and we we have no ability to, because we haven't done it in 400 years almost. And we see other countries doing it but somehow we still kind of have it in the back of our minds hey, you can't do that, that's not for you, right? Yeah?

Speaker 2: 21:31

It's odd, because the American personality, at least to Europeans, is that we're very aggressive and we are. That's about our guns, that's about our freedom, but we don't put two and two together and it doesn't. You're right, I love that we don't get the government we deserve or that we want, but I don't know, I don't think it's as easy as that. I think there's just a leadership void. Think it's as easy as that. I think there's just a leadership void. Um, and you know, frankly, we're we're a big country full of you know, we're all immigrants. We've all come from somewhere else. We all went there to have a build a better life and this, and europeans get that. You know. They see the americans. You know because and they have, you know their aunts, their uncles, whether they're you know from from germany, from poland, poland, from France, from Spain. They know somebody in the States because they have relatives there who've immigrated there. 20, 30, 40, 50 years ago. My grandparents came from Poland and it was the place to be, and so you went there to get away from what was happening in Poland at the time or what was happening everywhere. We don't know how good we have it where the Europeans have a long, as you say, a long bloody history of turmoil and social unrest, and they know what it takes to go out on the street. The French just had an election. The UK the Brits just had an election. It is just we're a two-party system in the United States. We're a two-party system. It's this one or it's this one. It's the right hand or the left hand. Which do you want? And you know, in a country as big as 340 million people, whatever we are now, how can it come down to two choices? I don't know. It's just amazing. You know, and because of that we don't get leadership back to ie like data protection, privacy legislation. A country like the United States does not have federal regulation to mandate data protection. That's crazy. That's crazy to a European. You know we talk about Europeans see it as a fundamental human right and you know Americans don't even have it registered as a law. You know, unless you live in California and you've got California State Senate Bill, you know no-transcript that you deserve. And as a common denominator culture the Americans, I see it, living overseas we elect common denominator leaders who speak in soundbites and try to please as many people as possible and year after year we get less and less done. I don't know I'm being pessimistic.

Speaker 2: 24:19

I'm technically a baby boomer. I'm on the end of a baby boomer. I was born in the late 50s and I don't know. It was a different time growing up in the 60s. For a kid like me, when people are trying to live at the Pentagon and, you know, stop the war in Vietnam and suddenly we're overtaking the Capitol, I don't get my tribe. I don't understand what happened to us. How do we go from baby boomers trying to levitate the Pentagon, you know, to overtaking the House and Senate? I don't know it's, but you know. The other thing, though, joe, is we're young, you know, and that's absolutely what Europeans know. As you said, they've had hundreds and hundreds and hundreds of history. I lived in Paris. I lived in an apartment building. It was older than my country. It was older than the United.

Speaker 1: 25:09

States.

Speaker 2: 25:09

The apartment had been around for 500 years and I thought, oh okay, that gives me perspective and I'm just living here, you know, and my country hasn't even, you know, had uh separated from england for that. So, uh, it's young, it's early days, uh, I'm hoping that we get through turmoil and start to understand what we really were, because, man, we're capable of so much man, that that is so wild that your apartment building was older than america, especially considering, you know, went through two world, two world wars.

Speaker 1: 25:42

That is, uh, that is wild to think that you know, and I think that that's part of the appeal to europe for me. You know, is the history behind it right, like it's just, uh, it's amazing, like, everywhere you turn, and the way that they present the history and, um, you know, the way that they teach it. It's something that's unlike, you know, anything that I've experienced in America, which is, I think, kind of what draws me there. But you know to your point about data privacy. You know, that's a really good point.

Speaker 1: 26:12

America doesn't have, you know, one overarching body that governs data privacy, right, or one overarching law, so to speak.

Speaker 1: 26:22

Right, we have a whole bunch of different, you know little individual laws that are different by state. That you know, and for people that are listening, potentially, you know, in Europe, right, one of our states is the size of your country, like that's literally what it is, and you know, it's funny. First time I went to Germany, I was talking to someone from Russia and he was confused as to how I hadn't, like, seen, thoroughly traveled and been to every single state in America he goes. I can understand Hawaii because that's so far away, but how can you live on the same continent and not go to everything? And someone else from the UK that actually studied American history was like hey, man, the state of Illinois is like two times the size of Germany, right, and he was so confused, he was so blown away by that fact and I literally told him I was like hey, like you could drive for eight hours and you're still in Illinois, you know? Or you're like just about to break that border Right, like that's how crazy, just how crazy.

Speaker 2: 27:33

The distance is, you know?

Speaker 1: 27:35

Yeah.

Speaker 2: 27:36

Yeah.

Speaker 2: 27:40

If you start at the top and you go to the bottom, it's like eight and a half hours is insane. No, no, I I, I remember used to drive from washington dc to to wisconsin and you know, it was just to get across ohio felt like you know, a major commitment. You felt like you know and I just I've never understood, like the trucking industry, how you could drive like that for a living. Yeah, yeah, the size, the, the space is just overwhelming. But on the other hand, when you talk about international travel and stuff, so yes, we're living in states that are the size of countries in Europe and elsewhere around the world, but at the end of the day, the other thing is that Americans I see this statistic and it's like seven out of 10 Americans don't even have a passport.

Speaker 2: 28:18

So we might go to Canada, we might drive down to Tijuana or, you know, go to Cancun, for you know that's our idea of international travel. But honestly, you know to go to another country and then look back and look at the United States, you see it in a completely different context. Yes, you see how big it is and, yes, you see how varied and how tough the problems are. But it's not until you leave someplace War and look at it now and think, wow, this is just the world is around us.

Speaker 1: 29:09

Yeah, that is. That's so absurd that seven out of 10 Americans don't have their passport.

Speaker 2: 29:16

It's a rough statistic. I heard this years ago but every year I just hear it's like the same. It's like you know, it's like those FBI cybersecurity statistics they're different but they're the same year after year after year. And the fact is, and you know what, hey, okay, if you're happy and you don't feel the need to travel, that's fine.

Speaker 2: 29:35

But I know, growing up, you know, with Polish grandparents who really sacrificed everything they could to get to the United States, you know, to get a job making beer in Milwaukee, you know that was the end goal. Why do I want to go back to Poland? You know, or much less you know, france or Italy or Spain, no, I wanted to be here and there was that mentality when I was growing up. You don't need everything you need is right here in the United States. And to a certain extent you know it was, it maybe still is, you know, yeah, we don't, had it not been national. My dad had a fix for national geographics. You know that was my little fix and you read those and just something gets in your blood. You got little fix and you read those and just something gets in your blood, you gotta you gotta gotta go to you gotta go to you gotta see china.

Speaker 2: 30:27

And once you do, you say cool, what was I whining about back in the states? You know, yeah, we don't know how good we have it, but we're off the work yeah, that's a.

Speaker 1: 30:33

That's a really good point, though, that you bring up um, and do you think, do you think, that the sheer size of america kind of plays into the data privacy law issue in america? The? The reason why I say that is because it seems like in america, there, there's like very definitive that we have as a nation that the federal government leaves up to the states, right, I think more because they don't want to deal with it, they don't want to spend the time and resources to actually, you know, solve it right, and so they leave it up to the states to decide on how they're going to, you know, treat something or act with something right. Treat something or act with something right. Do you think that the size plays a role, or is it just, you know, lazy Americans not wanting to kind of go all the way with something?

Speaker 2: 31:25

I don't know. Look at, look at, look at how, look at. I think of when I was a kid. I was driving around in cars with no seatbelts. They weren't mandatory, you know. They weren't mandatory and we were getting in car crashes and flying through the windshield at 20 miles an hour. We were, and people were needlessly dying because Detroit did not see any financial motivation in putting I don't know how much does a seatbelt cost, a piece of canvas with some metal buckle?

Speaker 1: 31:54

on. It Can't be much.

Speaker 2: 31:55

Two, three bucks if you bought them at mass. Yeah, exactly, but it took guys like Ralph Nader in my lifetime to just say this has got to stop right. So in certain areas airline regulation, automobile safety suddenly we get from no seatbelts to anti-lock brakes and airbags, and look at all the features. That's mandated by federal legislation and overseen by safety counsel. What's the problem? What's the difference between that and cybersecurity? I don't get it. I don't understand it. It can hurt a consumer, it's proven, your data's lost and it can have a financial impact on you, whether that's immediately in this identity theft or long-term like I can't get health insurance, whatever it is but clearly the connection between the citizen in a society and the protection of that citizen's data. They're not sure they're a data set, so I'm not talking about name and date of birth, but I am talking about DNA and I am talking about blood type and health records and things that are sensitive to that end user. I don't understand how we don't see that as a government requirement to protect citizens. We protect our citizens when we put them behind the wheels of cars, but we don't protect them when we allow them to use the internet and have Jeff Bezos take their geolocation and sell that for their religious affiliation or their sexual preference? Or are they gay, are they bi? Are they this, are they that, and sell that, monetize that? I don't get it. Uh, I don't get it.

Speaker 2: 33:28

So I think it's not because we're a big country or because people who live in south dakota differ from people who live in north Dakota or California or Chicago or, you know, illinois. I think it's because we have not looked at it from a macro level and understood the damage this is doing to our society, to our people. Like safety in automobiles or safety in airplanes, we need safety in our computers. And it's funny because, when it comes to understanding cyber threats from nation states, this administration alone unbelievable. Making sure that the government, when the government is processing, storing or transmitting government's information, that we keep all our harms away. But why aren't we doing that for our citizens? No idea, no idea. I don't. Our citizens, yeah, no idea, no idea. I don't understand how people don't. We don't have a ralph naver nader for cyber security that says enough is enough. We're losing too much data yeah, it's a good point.

Speaker 1: 34:30

You know, I I only come back to you know, like, what's been going on with facebook, right, or meta or Meta, where Meta was caught. You know what was it. It was like promoting, you know, sex trafficking in some way and allowing you know pedophiles to connect with children and things like that, right, and they kind of got a slap on the wrist right. They got brought before Congress and now we are three, four months removed from that. We're in an election year and no one is thinking about that, right? Anyone listening to this podcast, I almost guarantee you haven't thought about that since them, right?

Speaker 1: 35:09

But when the data is so abundant and you have so much of it and you're making money off of that data, what is a fine going to do? Right, meta probably has lobbyists working for them that's going to go get that fine down, so it's not going to be the real total amount or anything like that, right? But when you're basically printing money, you know, as these big data companies, um, what's a what's a fine going to do? You know, I feel like there's just too much, there's too much money going around for any real impact to take place in the data privacy right, because the companies that have this data, that are making insane amounts of money off of this data. They have the money to go and pay for the lobbyists to go and say, hey, you're invested in my company too. Congressperson, senate person, whatever right, you're invested in my company too. You have a vested stake in this. How about you just leave it alone? And nine times out of 10, they'll either leave it alone or they'll make a change that isn't really significant to the business to improve anyone else's data privacy. Joey, you're bringing me down.

Speaker 2: 36:32

I thought we were going to be positive. I thought I was going to hang up feeling, hey, uplifted. No, you're right. For me, I'm listening to two things. I'm thinking all the money they could make. They could put a little more effort into protecting that data. And the other key word that you use is they were caught. Now, when you're caught for one thing, think of all the things you were caught for. So, getting caught profitizing off of you know, a sex trade, that is one thing. Well, that just shows you that if that's where you're caught, I think it's like for me, I absolutely do believe Criminals. You always see the tip of the iceberg. You see when you're getting caught, you're just stupid. And it's where you're not getting caught that people are getting away with real crime and making real money.

Speaker 2: 37:14

I don't know, joe, I don't have an answer. I think we need a consumer. I'm not kidding when I said we need a Ralph Nader for privacy. We need somebody to say enough is enough. How is it that Facebook and Amazon and all these tech companies have shown us that data equals cash? And once we understood that our data, our personal data, meant their cash, how come we didn't say stop, stop, stop. You have no right to sell my DNA. You have no right to sell my biometrics, my blood type, my religious affiliation, my tax code, my social security number. These things are mine. This is my intellectual property. They belong to me. I don't know, but yet we're just.

Speaker 2: 38:03

I never forget my sister once. She's working on a family tree and she showed me this family tree. I said where'd you get this? And it says here uncle so-and-so came over from Krakow in 1906. And I'm like I don't even think grandma knew that. How does this company located in Illinois, how do they know more about my family than my family does? Please tell me that. You know we never even knew who our aunt so-and-so was married to or what her real maiden name was, or you know. And yet this is in the database that people are selling to us. Here's your family. Let me sell that back to you. Here's your family. Let me sell that back to you. Here's your family tree.

Speaker 2: 38:38

These ancestry platforms you're thinking now they get into DNA. I just don't understand how we didn't catch up and say, hey, wait a minute, that's my family. How come I got to pay for that information? They give us a free this and they give us a free DNA swab and we'll show you who you could be connected to. And you're like, wait a minute, you know, I found out my niece gave away her DNA and I'm saying, hey, that's my DNA too. That wasn't your right to give up our family DNA.

Speaker 2: 39:04

I don't know, we just don't get it. We don't, we don't, it's, you know, this, this, this, and of course, we're we're, we're lazy, we're fat, we're overfed, underloved and we just love the convenience, the convenience of Bezos telling us the next book we're going to buy, or Netflix telling us, hey, if you like this, watch this, this and this, and not understanding, well, where do they get that data? We just don't get it, we just don't get it. So, anyway, I think it's a consumer thing and I think, until consumers say enough is enough and then we ask for it, I'm not pro-legislation or regulation, but I don't see how this is going to be fixed.

Speaker 2: 39:41

We couldn't put seatbelts in cars without legislation, without the government mandating it, and then it changed lives, it saved lives. Millions and millions of us have been saved from drug driving, and the same thing could happen in our industry, in our cybersecurity industry. But I don't know. I'm at a conference and I'm advocating regulation and I sound like some neo-fanatical. The government's not the answer. When the government has to step in, we all got it wrong. Clearly, we need to fix something that's broken.

Speaker 2: 40:10

And the fact that our personal data is monetized by other companies with no kickback to me, I think something's wrong. And the fact that they don't pay to protect that data? You know they breach it and suddenly bad guys have it, as well as Meta, and you know, because Meta lost its database of everybody who's left-handed in Wisconsin. And they have that database of everybody who's left-handed in Wisconsin. They do. And because if you can monetize left-handers in Wisconsin, you can sell it. I bet I'm telling you that's the whole point, until we see that then suddenly you know, hey, the left-handed database is up for sale on the dark web. People don't care. Okay, I'm left-handed, but it doesn't mean I won't have job opportunities in my future. Really, we'll see when the right-handed people take control.

Speaker 1: 40:58

How do you feel about that? Yeah, people take control. How do you feel about that? Yeah, that's uh, that's interesting. I wonder how many sports organizations would actually buy a database like that. You know, that's left-handed people that play a certain sport. You know, because predominantly the players are right, right-handed, right, so if you can go with your left hand, it throws everything off. It's like it really confuses a right-handed player sometimes of you know the timing and everything, right, I'm thinking about baseball. But to bring it back to risk, you know you, you brought up an interesting point with facebook, right, they were, or meta, they were caught with, you know an atrocious crime, right, sex trafficking, right, and they were not committing the sex trafficking themselves, but they were definitely enabling it and allowing it to happen on their platform.

Speaker 1: 41:47

right, they were profiting from it. And you know someone you know at Meta, right, a lawyer or someone else, right Literally said what's the risk of us getting caught with this compared to this other thing? And you know someone had to say, oh, I'd rather be caught with sex trafficking, I mean that is the.

Speaker 1: 42:14

That's the risk calculation that they made, that's the actual math, right there there. And they, literally, they probably attributed how much they would be fined, the publicity that they would lose or gain, all of that stuff. And so it's fascinating to think about it that way, because I'll give you an example. Right, um, I was at a friend's wedding and me, and probably like five other couples are, you know, having their first kid within the next six months. Right, that's a. It's a huge thing.

Speaker 1: 42:47

And you know these, these couples are saying you know, I'm not gonna go with a baby monitor or like a normal, you know camera, baby monitor, because you know the camera feed is being sold on the dark web and you know predators are breaking into homes and stealing babies and things like that. You know the 0.001% of you know these occurrences, that's what they're basing their risk profile off of. And you know they're asking me what I'm going to do, right, because I'm in cybersecurity, and what am I going to do? And you know I told them like, yeah, I'm getting a NANET, you know, baby monitor, whatever. It's going to be great. And they were, they were just completely confused how are you going to do that? Right, and I'm saying look, you are a small, small, small fish in a very large pond. One, what are the odds that someone is going to find that specific data feed? And two, I actually have network security controls in place where I can, very I can limit very precisely how much data that camera sends externally, which I actually had to really lock down significantly because nanit and nanit is just a spy tool at this point. Nanit is just a spy tool for how much data it was actually sending out of my network.

Speaker 1: 44:10

I have a medium-sized enterprise network in my home. I have network switches, I have firewalls, everything like that right, and the amount of data that it was actually sending outside of my network was crashing my network, it was slowing everything down to a halt and I'm like what the hell is going on? I did not just pay a premium to Xfinity to get 100 down, like I paid the premium for 1.5 gigs down, you know, and I look and it's NANIT N and it's taken up 90 of my network bandwidth and I could not believe it. I, I mean, I obviously I put the restrictions so that it's literally just allowing me to, you know, connect from my app.

Speaker 1: 44:55

You know, like as a parent, that's very, very concerning. It's alarming, right, because I mean, it's a camera that you're using to watch your kid when they sleep, right, make sure that they're okay. You know that's it right, but they're sending so much data. I mean they have to be collecting data from every other device on the network and then sending that somewhere and they're selling it. They have to be selling it. It's very lucrative, and then sending that somewhere and they're selling it. They have to be selling it.

Speaker 2: 45:20

It's very lucrative. It's everywhere, though, Joe. It's in everything you see. Look at the iPhone earbuds they take your pulse rate, your heart rate, Literally. You're reading Not only that, but just the general volume that you listen to, which might be your hearing level. All that, send that back. Who bought Fitbit? Who was losing money? Hand over glove, Microsoft.

Speaker 1: 45:50

Was it.

Speaker 2: 45:50

Google, google, yeah, google, you're right. Google bought Fitbit. It's a losing business. What did they buy? They bought Fitbit because Fitbit takes your heart pressure, your blood pressure, your, you know it's medical data, everybody who uses it. You know the Peloton bicycles, all that, they're just user reporting. You know profiling vehicles that send that data back.

Speaker 2: 46:12

You're right to look at the egress. You know what's egressing your house from your refrigerator for crying out loud, much less your nanny cam, but, hey, your house from your refrigerator for crying out loud, much less your nanny cam. But hey, why does it keep going up? Why doesn't somebody say enough? Why, why, why can we? Why can you be a vendor and make a product that is essentially fly well and sell that legally? And this is where I say, you know, is the answer, legislation. At this point, I don't see what else is going to do, because when there's money to be made, you know, and and that's still here's the problem with that editor, whoever they are, they're they're taking that, that, that data, pulling it, you know, vacuuming it out of your house, putting on this, uh, and not spending any money, you know to to, and then then threat actors come in, take that, and that's the kind of stuff that you know your, your friends are talking about. Oh, pedophiles can get on the same page. Yeah, because they're selling these in databases.

Speaker 2: 47:00

And all of this data because it can be monetized has value to somebody. And it is just the craziest one I saw. I was on the dark web and I saw a database of 5 million users and the data was all about what hair conditioner they used. And I thought to myself A why would you steal this if you were a hacker? And B who would you sell it to? And it had been sold over 200 times in the last year. You know per record and you think, wow, you know, if you don't get that data equals cash. I don't care if it's. Here's a database of who uses what hair conditioner. Now you think who's the buyer to that? Is it other people who are selling hair condition who want to figure out who uses what? Maybe so it's competitor, is it? I don't know, but it's just amazing how you can monetize the strangest data and make some cash off it.

Speaker 2: 47:52

And our threat actors. I don't see any difference between a hacker and Mark Zuckerberg None whatsoever, just different methodologies. Mark will take it from you for landing on a site, amazon. Amazon puts a cookie that will take your password. Go back and go to Experian or Equifax and pull your credit report for just landing on the site, just landing on the site, and they will suck up all your passwords. What you build are you using? Are you you download Spotify? Are you using this? Are you? What applications? What operating system? What all for landing on the site. How does he get away with that? How can anybody get away with?

Speaker 1: 48:30

that.

Speaker 2: 48:31

Because in my mind, that's spyware, that's an intrusion by privacy. My grandmother wants to go to Amazon one day and she goes to that big thing called the internet and she types in Amazon and lands on his site and suddenly my grandma's got her credit written in Mark in Jeff Bezos' database and he doesn't protect it. Somebody steals my grandma's data you know, credit profile and sets up and does identity theft because Jeff Bezos didn't protect it and my poor grandma landed on the site and that's the way, that's the. We don't connect those dots. You know, when I say we don't connect, this is not ones and zeros. Think of that person who sat at that, you know, at that meeting and said, hey, if we get caught in this sex traffic thing, but then they went home to their husband or their wife and their kids and that's what they did. They sat at that meeting where they said, hey, we had Facebook. I met her that day and said, let's go with this until we get caught, you know, and then we'll just buy our way out or somebody. When we go to work in these tech companies, we just see this as ones and zeros we don't understand about. Hey, wait a minute, this is people's lives. We put people in farms away from sex traffickers or pedophiles or whatever.

Speaker 2: 49:39

The issue is, if we don't look after this data, Data for children, data for housewives All of this data in the wrong hands is critical to our well-being. Now we have not passed a law mandating the same protections required for top-secret information for a government. How come we're not doing that? Eyes only. I want my DNA treated as information top secret eyes and only five people in the world should see my DNA, and I should approve all five of them, and one is my doctor. Outside of my doctor, nobody else has got a right to see my DNA, and that's because I'm undergoing some sort of prognosis for some disease that I may or may not have, but that's a need to know. I just don't understand how we don't apply that same government secrecy classification scheme very easily to what is personal, sensitive data sets of you and me.

Speaker 1: 50:36

Yeah.

Speaker 2: 50:37

Do I sound cynical, joe? Because part of it is the cappuccinos and part of it is the lack of cappuccinos, so I sound too optimistic.

Speaker 1: 50:46

Well, you know, this is, you know, this is why I have the podcast, right, this is a security, this is a security professionals conversation about, you know, topics that touch everyone, right, like when we're working at these companies. You know, as a security professional, you're not thinking about one subsect of your customer base or one subsect of the data. You're not. You're thinking about every single customer, every single location that they reside in, every policy, every law that's going into effect, every law that isn't even on the books that's being talked about. You're thinking about those things that's being talked about, right, you're thinking about those things. And so if me and you, you know, met up at a pub right somewhere in Europe like this is what our conversation would be right. So that's the whole reason why this platform exists.

Speaker 1: 51:40

And you know, I wanted to ask you, being an American and going to Europe and then being in the risk industry the risk side of cybersecurity was there a difference in mindset that you had to make to more effectively run your business? People are so polite that they won't tell you no, but we're also talking about fundamental ways in which entire continents view the risk of someone's data, right? So I'm wondering if there's a shift. That happened somewhere in there where you said you know, yes, what is it like? Ancestrycom shouldn't have my data right. That's a mental switch, though Most people don't think like that, but you and I, of course, think like that. But how did you make that switch?

Speaker 2: 52:49

data. You know, and as seen through things like GDPR and the adoption of GDPR, and how quickly it went to market and how quickly European firms were able to be compliant.

Speaker 2: 52:54

Literally, it wasn't a big deal. It wasn't a big deal why? Because it was always there. It just was codified into legislation and now to do business with a European firm, you had to be GDPR compliant to these principles, to this, you know. And so Americans, like we talked about, had a hard time with GDPR, had a harder time.

Speaker 2: 53:13

So I have cultural, you know, I feel that client is more this thing that we've been talking about. This is, you know, it's not ones and zeros, it's the state of people's lives. European clients are much more sensitive to that fact. That's not to say, if there's one ADB made, they won't sell a database, they do. I mean, the Americans are the ultimate example of the commoditization of our personal data at little or no regard to the data subject. I think no. The changes I had to make essentially to doing business with Europeans was, you know, americans are very you know, we've got to have it now. We've got to have it. You know it is half-dad, but yesterday, I need it cheaper, I need it faster, I need it brighter. I'd be this far, okay, but Europeans are very, very slow. So the sales cycle, for instance, I don't know what the sales cycle is for penetration tests in the States, but technically we could talk to a client for almost a year before they get one and they haven't talked to anybody else and they're not shopping around, they're not considering it and it's an expenditure. But the other thing I find is they actually calculate the return on the investment and I have more. You know I quantify, all right, what benefits will come back from the pen test. You know, and that return on my investment of 20,000 pounds or euros for a pen test, well, you can buy a car for $20,000, not a great one, but you know it's a big purchase. And they're getting a pen test report of 10 pages, 15 pages, you know. So there's a lot more fixation on the value and the return on the investment for the spend, which I love, love it.

Speaker 2: 54:46

I don't think American CISOs in general quantify or use KPIs to measure the return on their cybersecurity spend. I don't. So I just I think that's very pragmatic and I think that's great and there is emotional response. But in terms of this is data about people's lives? I get that, but it's on the management level but not necessarily in the board level. For instance, I walk into a board and I say right.

Speaker 2: 55:14

First of all, raise your hands if you have personal data in these systems and you don't see a hand go up In fact it's one when you say wait a minute, none of you, none of the board members, have their personal data their first name, last name, home address, where their children go to school, in the systems that have to be GDPR compliant or whatever. You know our client's requirement or I'm about to help them with their risk appetite for that, and that's the first thing I notice is, well, that's a business thing. That's not about me. You know, and I've got skin in the game, you know, is not there and I I'm just shocked and they're looking at me like what are you trying to be funny? I wouldn't put my wife's, you know, my wife's uh, our mortgage, or where my wife said you are my chill, where do my children go to school in these business systems. And you think, well, you don't get it.

Speaker 2: 56:05

And I still think that this idea that it's not personal, I don't know about you, joe, but I go to security events I got. I go to about 50 a year, 30 to 50 a year, seriously, one to a month, and I go and listen to people talk about it, talk about it, talk about it. But very few of us walk the walk. Very few people come, you know, and they say the security in that system over there, and I say, well, what's on your laptop, let's start there. And they go well, I don't know what's on my laptop, it has nothing to do with mine, our threshold. We always project cybersecurity onto another system but we seldom actually practice that. And what I see lacking in cybersecurity professionals, regardless of if they're European or if they're Americans, is that personal connection of this is my data that we've been talking about. One more quick every three or four months I have.

Speaker 2: 56:52

So I'm out here in London, I have lunch with who is the MD of what is the UK's largest seller of firewalls, and I'm not big on cybersecurity products, as you can tell, but hey, you know, it's part of the industry and I keep in touch and I like this guy. We meet up for lunch every three, four months, once a quarter or whatnot, anyway, but the last time I met him, literally earlier in the spring, he walks in and he's red, he's mad, he's upset. I said what's wrong, what's wrong? And he said somebody hacked into my laptop and I went the irony, very good living selling cybersecurity products. Somebody broke into your laptop, you know, and said I'm just having a great day. I said, well, what's wrong? So what? I mean? It happens, you know, it's risk management. But now he's upset because he said, yeah, and they took pictures of my wife and kids on our vacation. So now he's got this visual somebody looking at pictures of his wife and kids on a beach someplace and Ibiza or whatever and now it's personal.

Speaker 2: 57:50

And this is a guy in our industry who sells firewalls for a freaking living and makes a very comfortable living at it, but now he's upset. Now he's upset why? Because it's personal. Because you know, it's his wife, his kids, and I think that's our problem. That's our problem. That's our problem in the industry that we don't have. You know, we talk a lot of stuff, but until it, until it's our data, until it's our hair conditioner, my hair conditioner I'd be upset if somebody knew what conditioner I use. That's not a big secret. I just say, yeah, anyway, that's. It's that disconnect that I find, joe, is we're guilty of.

Speaker 1: 58:27

Yeah, yeah, absolutely. You know, richard, unfortunately we're at the top of our time here, but I've really enjoyed our conversation you know and I really want to have you back on.

Speaker 2: 58:39

That's kind. Thanks. I'd love to be back. Sorry to get too talky but, like I said, I'm an old man and I rank you. Things could be better in our industry. Anyway, well done on the podcast and keep pushing that boulder uphill Joe. I appreciate our time. I appreciate our chat.

Speaker 1: 58:57

Let's keep fighting the good fight. Yeah, absolutely, Richard. You know, before I let you go, how about you tell my audience where they could find you if they wanted to connect and where they could find your company if they wanted to learn more?

Speaker 2: 59:06

That's great. I'm on LinkedIn, like everybody else. I'm on LinkedIn. Just look for Richard Hollis, h-o-l-l-i-s. The companies I work for is Risk Crew, it's riskcrewcom and, again, just no products, all services. But you know, certainly see, you know the philosophy in the company pages in terms of also some of the products and skin in the company pages, in terms of most of the silver product and skin in the game, these things that we've been talking about. We do try to practice what we preach and the company's a reflection of that. Thank you, joe. By all means, reach out to connect. If you've got a problem with something I said or a good joke or a new hair conditioner, I could use. I appreciate all three.

Speaker 1: 59:48

Awesome. Well, thanks everyone. I hope you enjoyed this episode.

People on this episode

Joe South

Host