Transcript
Alright.Wanted to welcome everybody to our latest episode of Virtru's Hash It out.I am joined by Rich Foltak. He's Dito, Ciso, and VP of cloud. Good afternoon, Rich. How are you today?
I'm doing great. How about yourself?
Doing well. Thank you. It's seventy degrees in Sunny, Washington DC. No. No complaints.
Rich today, we wanted to focus on kind of safeguarding financial data, some best practices you know, especially tax seats, season coming up. First, wanted to see if you wanted to just provide a little introduction on your role at Dito, and what you're focusing on.
So my name is Richard Foltak. I am the CEO VP in Head of Cloud and CISO here at Dito. I've been here for about four years building out the Google Cloud practice at Dito.
Prior to this, I was chief architect at Deloitte Consulting. I helped build their AWS GCP and Azure practice, years at Cisco systems, Verizon, been in the industry, heavily focused on the security aspect of securing IT. And what's very relevant here is that right now what we do with Ditos, we help predominantly, not exclusively, but predominantly heavily regulated industries like health care, government, financial service sectors protect their data. Because in the end, fundamentally, everything's about data.
Everything's about, you know, the utility of data, managing moving, dealing with the data, but doing it in a manner that is a secure appliance. And, you know, the goal is to keep you off of the front page of some newspaper running in terms of a breach or something to that perspective.
Some very good points, obviously, here at Virtru. We, our focus has always been, you know, data outright, data centric security we look at things from the data object out. And I think obviously tax season financial information personal financial information.
We are entering that phase of the year where data is being sent, shared, not careless, but there's a lot of data being requested right by end users from financial institutions from accountings, etcetera.
What do you see kind of, you know, based on the role that you've had in your vision of this yearly process. Right? What are some concerns that we see, during tax time?
I won't even elaborate tax specifically because everybody's got their period of the year where, you know, whether it's Christmas. Sure. Whatever, where everybody kinda goes into a mode of don't break it. Right? Let's just get through this particular deployment matter, but I will basically say that protecting of certain documents is always critical to many organizations.
And the challenges oftentimes IT organizations have a one size fits all or a very I would say, like, non very focused approach of how do I deal with my most critical sensitive information. And so, that's where companies go wrong because you can't protect everything nor should you Right? The old adage don't spend a thousand dollars to protect the twenty dollar bill. That's not the role of a security team to bill that. However, when you have something that is priceless or or or critical to an organization, you're going to have to invest, you know, in the people, the technology, and the processes to secure them.
And it's a continuously evolving battle. Right? What in the past used to be perfectly okay for people to just, you know, print out people's tax returns on someone's, a printer, right, corporate printer. And, you know, from a security perspective, if you really think about it, all those printouts are stored in the cache of the printer.
You can always go back and reprint them. Right? Look, I'm just pointing it out. This is physical security.
We're not even talking about IT, but if I was, say, thinking evil as a security guy, I would be going for your lowest hanging fruit. And what usually that means is, people and their kind of lacks approach to security and not realizing What does that mean if I printed this document? What does that mean if I share this document in an email that happens to be someone's tax return and they send it to another employee.
Right? You have unauthorized or lineage of documents that are now left your control.And without some kind of a mechanism to protect that, right, to make sure that my copies of these documents don't land themselves into unauthorized places, you're at risk. And the closer you want into a service, let's say, taxes, which is very, very commercial in the sense that, it's closer to the people. It's not some structure in IT.
I would say the more lax the security controls are. And so that's if you understand what I mean, because people don't look at protecting their laptop as well, maybe they do, but it's they view their tax document in the same view as their kids' photos. And maybe to them, the kids' photos are valuable, but, you know, from a tax professional perspective, you won't get fined because someone's photos were breached, right, versus financial information or something to that effect. So it's being able to compartmentalize and understand what it is that you're protecting and then figuring out how are you handling that differently is something that I see that is often missed and in the world of cyber and process and compliance, which is where Dito focus a lot on, that's where we kind of put a lot of energy on and saying, like, look, you need to classify your data.
Right? If you don't classify your data and then say, This is critical to my operations. It's highly restrictive. Only a very select set of people should have access to this.
Right? And then you say, well, this is public. Right? I share this on Facebook. Everybody knows what this happens to be by not understanding what data is important and what are you dealing with sensitivity from a sense of theory, but you're you're out of you're gonna get yourself into trouble. But once you do that, you go through that exercise. And by the way, it's a time consuming painful task of doing that, breaking down and saying this data is critical. It's sensitive.
While this is public, but once you do that, then you can start exploring. What do I do to protect my most important information in my organization?
And that's where, you know, again, one of the key criteria that we focus on is that, you know, the people processing technology and Virtru does a great job as part of the technology stack saying, how do I now focus on protecting those data records that are of criticality for me because of just the way people engage with data. It's important for us to have that extra layer, for that particular set of data.
While, you know, if they still wanted to share their Facebook post by all means, right, that's not something that from a technology perspective matters, but maybe it matters for people in process, right, and this is something that companies also need to focus on to build that, you know, sort of a won't think approach the security to make sure that I'm not some hacker who's gonna make a phone call to some administrator or someone new at the company to try to say, I'm a while I'm your customer and I need access to this record or some people like Social Engineering is a big risk. 100%.
Just pointing out that no amount of technology is going to prevent someone from oh, just print it out and email it to me or something like that. Right? I mean, those are the things that I always worry about because it not it's not that it's not hyper secure because sometimes people don't do what they do to secure documents, and that's that's where Sizzos and leadership gets into trouble.
This in the compliance world is a bad thing. We refer to this as this is where liability also gets thrown in. So as a Sizzos these days, you can get arrested for failure to do your due diligence and then and your due care. And what does that mean, is that you are responsible for identifying the risks to your organization, understanding what's out there, how I can prevent it, and putting that plan in action.
And if you follow the industry best practices around that, look, the reality is you can't prevent 100% breaches. Right? There are zero capabilities. Anybody who thinks I'm gonna protect you at 100% is lying.
Okay? Just right off the bat. There's always a way to get around something it's just make it very difficult. Right?
That's the goal here and makes it almost impossible, which is the ideal sort of goal. What I'm gonna really highlight and and and focus on is that every organization has to look at things from You know, operational standpoint, what is my governance? How do I manage my data?
What data? And how do I focus on protecting it? Because all it takes is one breach these days and your company could be, you know, drawn in mud. For sure.
No. I think one important point too, Rich, that you, that you mentioned, and I think it's extremely important. It's identifying, right, it's people as you as you've said a couple times, people processes technology.
I think a lot of times organizations end users, a regular consumer is gonna put technology before everything else. Right? And then you kind of get in this dilemma of great. You technology, but if you haven't flushed out the components, the people and the process components, What data do I have? How do the users within my organization or just as a regular end user, a consumer?
Kind of, you know, talking about taxis and finance my financial data that I have to share.
There has to be a process to identify, classify what kind of data I have? What am I willing to do with that data? Right?
I know I have to share it, but, what kind of access should, the person I'm sharing that data with, what kind of access should they have? So I definitely think that is extremely important, making sure folks or organizations are looking at things the right way. Establishing, obviously, training the people, empowering the people, making sure they know how to go about, you know, as they're sharing data data needs to be shared. Right? We live in this world where we can't protect data, but we can't stop data from being shared. Data needs to be shared in order for businesses to operate, etcetera. That's just a world we live in.
How do we make sure we are empowering people to handle that need to handle and share sense with data, give them the right processes, right, and tools, to make sure we are, being as diligent as possible, making sure we are handling things within compliance. Right?
As you set it to each one breach and then you know, we're having a conversation. Nobody wants to have at the end of the day.
What are some additional best practices, Rich, that Dito kind of, has, deployed internally, you know, you kinda share with your partner's customers also?
Well, one of the areas where Dito focuses on is, like, yeah, we support Google solutions in the ecosystem. Workspaces, you know, Gmail for corporations and the documentations over there.
And one of the areas that we kind of, you know, strive around is, you're talking about financial documents which have their own sort of structure, but even things like a spreadsheet or a a word document, right, how often do those go just get attached to an email and what what do the scanners look for? Oh, do you have a macro that is a threat?
But the data that's part of that document, leaving your building is also a threat.Right? And so a lot of our customers these days are also asking in terms of, let me just give you an example. So because Google, everything's in the cloud. We generally don't want your data to be downloaded to your laptop.
Right? We want to leave it in the cloud wide because we can monitor it. We can watch who has access once someone downloaded it onto their computer, unless it's a Chromebook, a lockdown brick that you can't really, you know, shove a USB drive.
The reality is it's relatively straightforward to just attach a document that you've downloaded to your computer to a Gmail account and send it out somewhere else. Right? There's ways around, you know, Dropbox or other services where you can move documents that are that that lose your control.
So we put a lot of emphasis on protecting your data and not allowing it to get to your laptop. Right? Alright. That's a that's a big control aspect, and then also being able to, you know, help organizations build their sock to monitor for documents that are leaving their boundaries of control because, look, it it's perfectly okay if this happens and people are doing this, but somebody should be notified that and then maybe what if someone is going into a repository of a whole bunch of tax records?
And they're not just hitting one tax record. They're downloading the thousand Right. Tax records. Right.
Right. Like, hold on. Who's watching for this because you, as you part of your job, should be looking at one, two, maybe five tax records a day. Once you're hitting a thousand, there's something fishy going on. And I'm not saying it's a breach, but this is the part where, right, you could do everything from a technology perspective to say he's got a right to access these documents to perform his job.
But now he's going on the call of what a typical day is, and that's a process and a people's security aspect. And so, like, one of the areas we put of focus isn't like, hey, can we monitor what people are doing with documents and start looking for basically outliers of behavior to, again, generate an alert to notify the owner because part of classification, by the way, is that everybody has to like, you can't just create a buckle. Somebody has to own that bucket. Right.
And then technically, they take responsibility for the data that's in that bucket. So from a security perspective, I just know you did something weird here, let's just notify the owner by saying we're seeing this behavior. Why? Because it just may be someone had a bad day, okay, if like stuff is going on and they're you don't want the alarm bells to be popping up.
But if someone is, knows he's being fired, because this is a common scenario. Right? Are they gonna do? They're gonna try to extract as much data out of the organization of value, right, to do some misdeeds. Sure.
Type of stuff, we're building controls around to allow an organization to protect itself in the cloud. Because just because it's in the cloud, there are good controls there. You can manage how things are done. You can be very efficient.
But it's when it leaves where, unless you have DRM technology, where you can lock down that file and say that, hey, once it's out of my control, you know, it's like I can't manage it, then you're going to get yourself into a lot of risk.
Yeah. I think that's spot on. And I mean, it is kinda, to me, it reemphasizes, it's this data centric component. Right? It's saying, I'm gonna have these additional tools in place that in the event, again, something is more of a behavioral edge case that we normally don't see. Right? Seeing that use case you mentioned, I've got tools in place, processes in place that are gonna notify that data owner some way. For x y z reason, we're seeing this user that on a normal week accesses this document twice.
Today, they accessed twelve times. Whatever that scenario is, I think, additionally, it's how do we add controls to that data, right, to the data itself and saying, Hey, do I want that user to be able to remove that file, download that file, make a copy of that file, should that data object or that that file, be accessible in perpetuity, or can I add some additional controls, right? Obviously, regulations and compliance is a factor there, there as well. But, you know, I I love having the ability. And again, this is now we've gone from people processes to technology. Whereas good data hygiene, data posture for me having this access to data in perpetuity, I'm always gonna question. Right? I wanna say, hey, I don't want you to have access to my data forever.
Let's start with, you know, three months. And then in three months, you say one, I need additional time because of x y z. Great. I have the tools in place to allow you know, allow, allow me the data owner to update that access and control for a longer period of time.
But I do think kind of those those three components are so important, and I think they are often overlooked.
It's not just technology. It's not just processes. It's not just people. It's figuring out a way to bring all of those three things together.
No. Absolutely. And there it lies and it's always there's no one size fits all. And that's the key. I mean, like, my job security. I kinda laugh at this, you know, working in security in the security area, but there is a thing called job security, right, is the fact that every organization has very different business objectives and very important needs.
And, but there are what I would refer to as best practices or templates or I'll call it playbooks in the sense that, look, there are cyber security frameworks like NIS, like ISO. I'm not touting them specifically, but what I'm saying is just like you have a car, you go and bring it into the shop, they'll go and do we've got a ninety three point checklist that goes over your car to kinda see what the health of your organization happens to be. We're not advocating to come to Dito for this. We're saying, look, it's free. This checklist, take advantage of it. Why? Because it will ask you what is your change management, how are you protecting your environment?
So we will do assessments for organizations to help them through the short sort of journey, but we recognize that, again, as part of the discovery, what are you doing to secure your environment, and what is really what you're mostly afraid of losing?
Because as I said, don't focus on spending a thousand dollars protecting a twenty dollar bill. That's a waste of time and energy. Realize what is your core business data that is important.
And you don't try to fix everything, also focus on the core data that you're trying to protect.You can't stop all breaches. You and you can't and look at the perimeter.In the past, everybody was focused on the fact that my enemy was from the outside.
The reality is your enemy is on the inside as well, and it may not be intentional understand this too. A lot of people forget that there is unintentional stupidity. You wanna call it that, like, do stupid things all the time. My wife keeps reminding me of this.
Okay. So look, the point is we're human, even if you have the best intentions, even if you do the things right, you're eventually going to do something that, oh, I probably shouldn't have done that. You need to have controls in place that call it dual control. Hey, honey, should we be doing that?
Right? It's like, these really do help you in terms of driving good habits into the organization to help you get to the right outcome. And so that's why I'm kind of pointing out that you know, don't reinvent the wheel. Understand that there are good practices out there.
Understand that there are certain things you could do to help your people, your process, which involves sometimes training, right, just having a security policy yearly assessment. Just like, hey. Do you guys know about this? You know about fishing? You know about this particular aspect, do a trial hack in your environment. Call it a tabletop exercise.
See what happens when you have a fake reach in your organization and how your organization handles it. Right? Just saying we're going through the exercise You don't have to raise all the alarm bells, but you can, you know, people could be told on that day. We're just documenting the process of this breach.
To see what happens, how long it takes, kinda go through these particular aspects, again, focus on people on process, but also test your technology tests us how an inside actor having access to your environment could abuse what you've done. And then when you document these risks, start looking at partners to help you in saying, what have others done to help mitigate. Again, you're not killing the risk. You're reducing it to something that's much more acceptable. And it may just be every time I share a document outside this organization, I need to get sign off by somebody else, right, my boss or a colleague and then put those controls in place so that if you're violating that, your employees know we're monitoring for this. This is where our security operation center comes in and says, they're capturing the logs of this and that we're gonna be coming to you asking you why did you do this? Again, if you're gonna, that's fine. What we find is if people know controls are in place and that they're being monitored at least loosely, that they're less tempted to behave partly. Right?
For sure. For hygiene. Okay. Let's not even talk about, like, Most people make mistakes, not because it was intentional, but it was more convenient for them to download something onto their BYOD device or because I go in on the road. I gotta do this, like, no. Right?
If you do that, that could be a breach of contract, your employment contract. These are things that need to be told to people, why? So that they are not incentivized to do something bad that will end up hurting you as an organization. So why this way we're calling this out, it's like it doesn't have to be a bad actor that intended to be a bad actor.
It just can be someone who had to make their three o'clock kids baseball game and decided to take something that should have been secured in an unsecured environment and could cause some, you know, problems not only for you, but for the firm. Right? And that's why we're kinda looking at it and saying, you know, tax data back to that.
It shouldn't just be loose moved around in an organization, period because if something happens, if that laptop gets stolen, you know, where he forgets it at the airport, these things happen so often it's kinda scary.
And you don't have the right security controls on the device first. But also on the data that was in there, then if someone ever breaches that data or breaches that computer, and by the way, that's not very hard. If I have physical access to your computer, I don't care what you put on that computer. I mean, I'm just putting it out. Unless you're doing remote wipe or some sort of control. Right. Right. I'm just pointing out if there's enough incentive someone can get at that date.
So No. That's that's that's spot on. Rich. No. Yeah. And again, I think, you know, tying it back to the three main components, obviously, people, processes, technology.
And yeah, not not every not every scenario is gonna be the same, but I think just empowering the organization first, right, initial training, ongoing training, different scenarios, different ways of, looking at possible, you know, scenarios like you mentioned role playing some of those. What happens in this type of event?
Here are the processes and here is or hear the different technology options we have also to make sure everything is encompassing the right way.
And it's an ongoing thing. It's not a one event, and then we're done. Right? I think, obviously, We learn. We continue to learn. There's new new things happening every day, which we need to then empower the people, define new processes, and look at technologies out there to make sure we are addressing things accordingly.
Rich, thank you so much.
Extremely awesome catching up. Thank you for the insight, the value. I learned a bunch and I know a bunch of our viewers will also.
Thank you, Juan. Appreciate it.
