Privacy

Ep#100 – Dimitri Sirota – The Two Audiences For Privacy & How They Drive Data Collection

The Two Audiences For Privacy & How They Drive Data Collection

powered by Sounder

This marks our 100th episode of The Virtual CISO and an insightful journey into having the opportunity to have frank discussions with thought leaders that provide the very best information security advice and insights. 

I am happy to have invited Dimitri Sirota, CEO & CoFounder of BigID, to walk through BigID’s approach to privacy, security, and data governance on this momentous episodic occasion. 

Join us as we discuss:

  • The merits of gathering data beyond the usual locations
  • Why discovery is a foundational piece of BigID’s approach
  • How BigID supports efficient data collection

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

 

Narrator (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion, providing the best information, security advice, and insights for security IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John (00:24):

Hey there. A quick interruption before we get going on this week’s podcast just to say, “Thank you.” Proud to say we hit 100 episodes. This is the hundredth episode of the podcast. What might be a little bit odd is that we started the podcast not to generate listeners. We actually did it to do three things. One was we wanted to generate content for the website for SEO, to drive some new business, achieved. Second thing that we tried to do was give us a platform to speak with thought leaders in the space so that we could extend our thought leadership and we could give good guidance to our clients, check. That’s gotten done.

Third thing is that we wanted to meet with new and emerging and promising products, so that way we could help our clients build out the trusted ecosystem that’s necessary to fully operationalize a cybersecurity program and we’ve been lucky enough to do that as well, so check. Somewhere along that route, people started to find the podcast. It was humbling when I was recently talking with our marketing director and he said, “Yeah, last podcast had a couple thousand people listen to it,” which is crazy to me, so thank you and hope you enjoy the episode.

Hey there. And welcome to yet another episode of the virtual CSO podcast with you as always John Verry, your host, with me today, Dimitri. Hey, Dimitri.

Dimitri (01:47):

Hello. Thank you for having me again.

John (01:50):

Yeah. I’m looking forward to this conversation, man. Always start easy. Tell us a little bit about who you are and what is it that you do every day.

Dimitri (01:56):

Yeah, sure. Depends on the day, I guess. I’m the CEO BigID. I’m one of the two co-founders of the company. We started about six years ago. We focus on helping companies protect their sensitive, personal data in the cloud, in the hybrid cloud. We started just around the time GDPR was coming out and felt there was a gap in the market, especially as it pertained to helping organizations identify personal data at a level of granularity that you needed for privacy regulations, like GDPR and CPA. That was, and then since then, we’ve raised about 250 million. We’re about 460 people around the world, so I have to be in Miami. You ask what I do every day. I sit by the pool and drink piña coladas, but beyond that, we’re quite distributed. We have staff in LATAM, in APAC, in Europe, a lot of developers in Israel, which is where my co-founder is, and staff in UAE and various parts.

In terms of day-to-day what I do, as the CEO of the company, obviously help set direction. Although obviously taking input from everybody. I help a lot, at least like to think I help a lot with sales. I like to be involved in sales; I always have. I work very closely with the alliances team. We’ve done quite well in terms of building strategic relationships, both on the global system integrator side, on the GSI side, on the ISV side, like software companies of which many are investors like SAP and Salesforce and ServiceNow and MongoDB and HP and Splunk. Then, I chit-chat. I help where I can. I let a lot of the team do their own thing, but yeah, I’m here as a resource to them.

John (03:52):

You might’ve answered the question. I always ask, “What’s your drink of choice?” You mentioned piña coladas. I would’ve thought you would’ve gone with mojitos being down in Miami there. Are piña coladas actually your drink of choice or is that just being funny?

Dimitri (04:04):

No, no. I’d probably put on more weight than I could even imagine, so I drink a lot of, I think it’s called ranch water. It’s a Texan drink. It’s mostly tequila, unsweetened lemonade, and soda water. I think it’s a little bit healthier for you. I’ve been trying to drink something a little bit more pristine, less sweet. I don’t like a lot of those tropical drinks to be very honest and when I do have mojito or any other Mexican or South American drink, I tend to avoid the saccharin, the sugar, the simple syrup. I don’t know if it’s prediabetes or what, but I don’t tend to like that stuff.

John (04:48):

I have not heard of ranch water, but I am a tequila fan. So I think the next time I’m out, I’m going to order myself a ranch water and try that because it sounds a lot like I used to drink a drink I think they would either call it snake bite or cactus bites, which was just lime and ice and tequila. I used to drink them a lot when I was skiing out west. It was my skiing drink.

Dimitri (05:10):

Simple, low calorie. How could you go wrong?

John (05:13):

And tequila’s either you like it or you don’t, but I’m a big tequila fan. Even starting to stem into the mezcals, which is a different variation on agave. Right? All right. Let’s get down to business. Clearly, month over month, the percentage of conversations we’re having with our client base, which is mostly SME businesses, the percentage of those conversations that include privacy is growing significantly, but I would say that most companies or many of the companies are still fairly lax in implementing what I’m going to call robust privacy programs. If they have a privacy program, it’s rare that I would say it’s a letter of the law privacy program because a GDPR letter to the law program is a big lift. I was curious, do you see the same thing, and is it a bit more enforcement by the California AG that’s going to make privacy move forward at the rate that it probably should have and is not yet doing?

Dimitri (06:08):

It depends on where you look. The traditional BigID business is much more geared towards larger enterprises, Fortune 100, Fortune 500, which is where we cut our teeth. Those organizations have large targets. They have lots of customers, those customers want access to their data, so it’s very top of mind for those folks. On the SMB side, I think it’s a little bit different. They don’t need the same robustness or complexity from their privacy program. They literally just want to be able to get something up and running. Then secondly, they want to be able to maybe integrate it with some other things like data security. Especially now since most SMBs are entirely in the cloud, I think what we offer and we’ve actually introduced this not too long ago at the RSA security conference, a product called SmallID.

SmallID is a lightweight SaaS that bundles basic data protection, data privacy in one and I think that’s going to be a lot more palatable where it’s no longer like, “Wow, this seems really complex. I don’t have a cheap privacy officer. Is there a way for me to combine everything I need around securing my data and also protecting the integrity of my data for my customers?

John (07:23):

Just out of curiosity, and like you said, you probably have worked more in the Fortune 100 where I think they’ve done due diligence on the privacy, but we haven’t seen the due diligence really done yet. I think one is most orgs feel like they’re small enough that it’s not likely that they’re going to have an action from any UDPA against them. They’re less worried about GDPR and we really haven’t seen much enforcement from the California attorney general. You think that’s what it’s going to take, quote/unquote, for people to pay a little more attention in that SMB, SME space?

Dimitri (07:54):

I think so, but remember there’s two elements to it. Really, there’s two auditors. You have in the US, the AGs, in Europe, the Data Protection Authorities, but you also have your customers, the consumers. If they’re asking for their data or if they’re instructing you in terms of how they want to allow you to share and sell the data, then you need to abide by that. You actually have not just the AG and AG is going to have limited resources under the new CPRA regulation, which is an amendment CCPA. There is more budget set aside in California to actually do enforcement, but even with that, it’s never going to be every company that has California citizens. I think to some degree, part of what drives companies to do something is really more around the fact that they have customers and they don’t want to offend those customers. Those customers have data with them. Those customers have certain entitlements in terms of rights, in terms of accessing, deleting, correcting the data. How do you make that easy to manage when the data is Salesforce and ServiceNow and Zendesk and things of that sort.

John (09:09):

I would agree that that is definitely part of the equation; because we’re seeing as an example in the law firms or the SaaSs, that process a lot of personal information, that the client demand is forcing them to move towards something like ISO 27701, which has some form of attestation of that privacy program. I agree with you. I think a little bit more, it doesn’t need to be consistent enforcement, but some news out there that there is some enforcement I think would go a long way as well. I think what you guys are doing over a BigID and now SmallID did you call it, or LittleID, I forget which way you referred to it.

Dimitri (09:44):

LittleID is a future product; don’t give it away.

John (09:47):

All right, shoot. Sorry about that. I look at what you’re doing as being what I’m going to loosely refer as technology enabled privacy, something that replaces, for most organizations, what I think is a series of manual processes. Can you walk through the steps of building and operationalizing a program that is technology enabled? As an example, can you discuss the discovery process, which is so critical to clearly understanding what your privacy program needs to include?

Dimitri (10:17):

Yeah, sure. One of the biggest challenges in privacy, and as I mentioned earlier, there’s really two audiences for privacy. One is the Attorney General in the US or DPA and they want things like assessments. They want attestations basically around privacy impact, et cetera. There’s another one called ROPA in Europe, which is article 30 of GDPR. They want things like this, which is a report on your data and how you abide by it. There’s a second piece, which is all about data transparency and data rights, so consumers, employees have certain rights to request their data, to delete their data, to correct their data and obviously a lot more employees and a lot more consumers. They’re harder to do because there if an employee says, I want to know what data you have on me and that data could be an email. It could be in files. It could be in databases, it could be in SaaS applications. It could be in development environments.

The definition of what is their data could be very broad. Under GDPR, it’s extremely broad. Even under California statutes, it’s quite broad. It can include credentials, GPS coordinates, IP addresses, cookies, session gates, click stream, what I do on a mobile app or website. It could be very, very large. The challenge for organizations is when they get a request from when an employee or a customer says, “Hey, I want to know what data you have on me.” That data can be in a lot of places. What historically folks would do is they do a set of questionnaires or interviews with their own employees and the employees would say, “Well, we have personal data in these five places,” and if somebody submits a request, you’d have a database analyst go into those five places and say, “Oh, I found one. I found a piece of information on Dimitri. It’s around his profile.” The other four analysts would do similar.

The challenge with that is, obviously, you’re really just looking in places that your employees believe there’s data and you’re only looking in places that are obvious, like a place called “customer”, or a place called “employee” or a place called “prospect”. How about all the other places where you could have information that belongs to individuals that could be “marketing tools”, “analytics tools”, “BI tools”, “AI tools”. There could be many, many places and nowadays there’s these honey pots of information gathering like Snowflake, like S3, that collect other information. There could be data on me in a form. It could be in a document. It could be in a note field in Salesforce or some other type of support service. Looking everywhere is technically what you’re accountable for, what you’re responsible for and you’re opening yourself up the liability if you don’t do it.

The challenge there is how do you actually look everywhere? How do you figure out, here’s the data that I have on Dimitri, some of it’s in a database, some of it’s in a file, some of it’s in an image, some of it’s in Snowflake, some of it’s in S3. How do I find all that, put it together, and give you a report that says, “Here’s what I found in Dimitri, including, potentially, emails, correspondence that I’ve had with that tricky Dimitri. That requires a rethink and a new approach, so when we started off, we thought that old approach of interviewing people, them telling you five systems, and then just looking in the obvious places in those systems, wasn’t going to cut it. We built a whole new set of technologies that we patented, built on graph technology, which is the latest in ML, that essentially allows you to look across your entire data state and pick all those morsels of information and tie it together into this graph, belonging to an identity or a person saying, “Here’s the collection of information I have on Dimitri,” and give you all the confidences and so forth.

We made that easy, so you don’t have to have a poor analyst going through those five databases, or a hundred databases, or a thousand databases trying to make sense and say, “Well, I found a GPS coordinate from some mobile interaction because that belongs to Dimitri or somebody else.” People could share GPS coordinates. That was one of our big innovations and it was specifically directed at that data transparency, data integrity, but again, it’s a type of automation that would require a tremendous amount of labor. I think Forrester has quoted a number somewhere in the $2,500 per user request. That’s again, only looking in those five databases. This obviously takes it down significantly.

John (14:58):

The other thing which is interesting about that is that not only does it simplify that process of finding that information and it’s going to be far more accurate than like you said, the interview process we refer to that as a data mapping exercise. But the reality is that by the time that that data map is done, it’s no longer accurate because processes change, applications change, people change, so the types of information that we’re gathering and where it’s ending up, three months after we’re done with the data mapping exercise, has changed notably. If we’re doing it through an automated mechanism, a discovery mechanism, you have a mechanism I’m sure to stay current on where things are actually being kept, right?

Dimitri (15:37):

We do. We detect changes, but I would even go one step further. There’s an old adage or aphorism that great ideas come from replacing spreadsheets in technology. I think you could argue that Salesforce to some degree is a replacement of a spreadsheet. Using spreadsheets as exercised, which is the predominant way data maps were historically done, you’d send around a set of questions in a spreadsheet and you tabulate it at the end. That’s obviously very limiting and on top of that, there is a whole set of data sets that are just not enumerable that way. Let’s take Snowflake. Snowflake is a dumping ground by its very nature of data. It’s changing all the time. It’s growing all the time. There is no one person that knows what’s inside of it. S3, which is one of the data lake technologies that AWS has alongside of Redshift, which is a data warehouse alongside of Athena, alongside of their data pipeline and technologies.

There is no way a person knows what’s inside because it changes. File folders, most people don’t even know what they have in their file folders, their corporate five folders. It’s constantly editing. Things are forking. Things are branching. Email, people get tens, hundreds, thousands of emails a day. That is changing daily and yet that is still covered. Clearly the data mapping exercise that you talked about, which historically was done through spreadsheets and interviews is not going to be entirely robust. It’s obviously based on recollections, not records of your data and people have fallible recollections. Most people can’t remember where they put their sunglasses. I don’t know where half of mine are, but on top of that, there’s going to be whole pockets of your data ecosystem, recollection or not, it’s just impossible. You can’t foretell. You know the email is changing. You know your file folder is changing. You know your snowflake is changing. So again, for those environments, you just have to have technology because you can’t map the usual way for those type of products.

John (17:51):

All right. You make that part of the process way more effective and accurate. Once we’ve got this personal information, relevant assets document, we’re starting to create that article 30 conforming RoPA, that data map as some people refer to it. We need to ensure that we apply the proper privacy controls. Typically, the next step is a data privacy impact assessment and you’re beginning to figure out how you’re going to deal with your data subject access request. Can you talk us through what BigID or SmallID does in that area?

Dimitri (18:25):

Yeah. BigID is predicated on two pieces, maybe three pieces, you could argue, almost like a sandwich, think of a sandwich. The base bread is really the foundational piece of which everything is built upon and that really is the discovery technology, the thing that abstracts access to all these databases that could look inside without using agents or any of these old school mechanisms to make it easy. Right above that is all the ways to analyze the data. Depending on whether you care about privacy or security or data governance or data retention, there’s different ways you need to look at the data, and so provide multi-ways of processing the data, four ways. We call it, discovery in-depth and right above that, that top level of the sandwich is an app store.

It’s a set of modules that sit over top, leverage the APIs that BigID exposes, but essentially embed another UI. Now, the reason we introduce this as an app store is that we wanted to make it much more atomic. Let’s say you want, you care about data rights or DSARs, there’s an app for that. Let’s say you care about RoPA, there’s an app for that. Let’s say you care about PIAs, there’s an app for that. If you want consent, there’s an app for that. You get the gist. Now, there’s some for security, like remediation file access, but that modular format allows you to grow with your customers. They don’t have to buy everything. They can basically buy the pieces that they care about just like when you first bought an iPhone, did you download every imaginable app? No, you got the ones that were most necessary for your daily life. Maybe an Uber, maybe a door dash, things of that sort, maybe a DocuSign.

So we created, and we’re the first company in the data management space that’s introduced this app store model, like the iPhone or like AWS. Again, it allows us to deliver a set of atomic functions that solve for PIAs or TIAs or RoPAs or DSAR, as an app. The old apple adage that there’s an app for that. Now SmallID is a little bit different. SmallID we, by its definition, want to simplify. SmallID has basically more of a combined integrated feeling, less of an app store that may appeal to an enterprise that wants to add modules, but may have initial technology from somebody else, but eventually wants to replace it with BigID. SmallID basically provides everything in a unified pack.

It doesn’t have the high degree of configurability or flexibility, but that’s the nature of the beast. Smaller companies, frankly, would exchange all that flexibility for convenience and ease of use. SmallID basically tries to deliver a much simplified experience. Again, it’s going to be great for companies under a thousand employees, maybe for anybody above you need to go to BigID, but the beauty of a SmallID and BigID is that they’re cousins. I’m not sure if this is going to come up right, but you could literally go from one to the other. It’s just a license fee.

John (21:37):

Yeah. You might want to rethink that analogy.

Dimitri (21:41):

Of course. You can replace cousins, but the metaphor’s broken. But yes, you could transition from one to the other.

John (21:49):

Just out of curiosity, your APIs, do you expose those so that way that app store could theoretically have third party apps or is it more of a closed store?

Dimitri (22:00):

No, no, both. In fact, strategically a hundred percent of our APIs are exposed and documented, so we provide documentation on them. They’re part of our readme files or product documentation, and then partners we have NDAs with get access to the full API set. Yes, it’s all exposed and we do have third party. I believe about 12 or 13 apps that we’ve developed, we’ve co-developed maybe another 10, 15. Then we actually have another bunch of vendors that are building. Vendors and we’re starting to get some system integrators that are building some IP over top of BigID. That’s just in the early phases, but obviously the dream is to not just have 45 apps, but maybe 4,500 one day, so whatever your heart desires in the data visibility control, whether it’s in the public cloud or whether it’s in the hybrid cloud, there’s a capability inside a BigID.

John (22:52):

That sounds win-win, especially as we see dozens of different privacy frameworks going out there and having very specific differences that you might need to report on with one versus another, having somebody who specialize that. I like that. That model sounds pretty cool to be blunt. The other thing that I think the apps might work on and I’d be curious about is it’s one thing, and we see this a lot, it’s one thing to stand up a privacy program, it’s another thing to stand up an information security program, but I like to use the term operationalize. It sounds to me like the way that you’ve constructed this either in the integrated SmallID world or in the more modular BigID world is that I can use these applications that work with the underlying technology to operationalize the program. I have a mechanism on my website where I can click on a button and it kicks off a DSAR program. I have a way of actually in some automated way of either identifying where data needs to be retrieved from, or actually retrieving that data. Am I thinking about this right?

Dimitri (24:03):

It is. You are, except once it’s installed, there’s not a lot you have to do. It runs a little bit more lights out. The one thing I’ll say is if you think about data privacy as a discipline and then data security as a discipline, you could even throw in data governance, which is a third bucket, typically geared towards less around finding your sensitive data or your regulated data. If you think about privacy, it’s all about figuring out where your regulated data and then reporting on it. If you think about security, it’s all about finding all your sensitive data and critical data and then securing it. If you think about data governance, it’s all about finding your high value data and then publishing it to your BI and AI and data commercialization products. But what’s interesting about all of them is they start with a common theme, which is all about, “Where’s my data?”

We talk about that in terms of K-Y-D, know your data, but they all require a certain knowledge set. Whether you’re looking for the regulated data, like personal information, sensitive data, or metadata for data governance purposes, it all is about discovery, so our approach is why not have a common way to discover all that data, whether it’s metadata, so data about the data, whether it’s security data, whether it’s regulated data like PII, have one tool that does it all, that could look across your files and your structured databases, your SQL databases, your data warehouses, your SaaS, your development environments, your messaging platforms like email and Slack. Have one tool that could provide you a global view. That way you then decide through the apps, what you want to do with that data. If you care about, let’s say data quality, which is more of a data governance activity, the data’s already there.

If you care about remediation, maybe access management, like the security things, they already know where the data is. If you care about privacy, like reporting for regulators or reporting for individuals, the data’s already there. We took a little bit of a novel approach where traditionally you’d have a different data discovery for each of those pillars of privacy, security, and governance. We said, “Let’s create a single view of the data across everything, structured, unstructured, like your whole data state and then you decide what you want to do with that data, whether it’s reporting for regulatory reasons, whether it’s security, or whether it’s bubbling up the high value data for your data science teams, we give you more of a unified platform for that.”

John (26:33):

I think we both share the same fundamental idea that privacy is going to change information security radically over the next, as soon as it becomes widespread because if you think about it logically, once I get to a point where for a particular type of information, personal information, I have the information that you’re going to have for me. I know where it is. I know how to control it. I know how to delete it. Why wouldn’t I want to have that same capacity with other data, which has high value, high business value, or high compliance value to the organization? I’m assuming that one of the other benefits of an app architecture for BigID is the fact that your mind is beyond just privacy. Privacy is just one small group of information of which all of it really should be treated the same way. Privacy’s just the first one that’s going to have a legal requirement to do so, but once we get beyond that, once you’ve built these programs that can do that for that privacy information, why wouldn’t you want to use it for all your important information?

Dimitri (27:38):

Yeah and look, privacy is just a particular frame of reference of one regulated data, personal information. There’s other regulated data. There’s GLBA data, there’s SOX data, there’s HIPPA data, there’s PCI data. At the end of the day, data is data and you need this universal information navigation of your data. Whether the end outcome is to report, to retrieve, to output to a BI tool, it’s all about getting the good data and so we universalized the data discovery process. Where initially we may have started with the focus on privacy data, we said, “Look, we could build a capability to help organizations get visibility into all the data they care about, including the data that’s relevant for information and retention and so forth, the profiling data.” We provide that discovery as the foundational piece and then that makes it a lot easier for the apps because the apps basically are like a portal or a lens into a particular action on that data. That action could be reporting for regulatory reasons. It could be access management encryption for security reasons. It could be some retrieval for data science, BI, AI reasons, but you start with the data, this global index, or GPS of your data and then everything else becomes possible over top of that.

John (29:12):

The answer to this question has probably changed since we first talked with the introduction of little ID. Little ID? SmallID?

Dimitri (29:19):

Small. SmallID.

John (29:20):

Gosh, I keep screwing that up. I’m sorry.

Dimitri (29:22):

That’s okay.

John (29:24):

What advice do you have for a lead InfoSec resource? A lot of times it’s the information security guys that get stuck with this, although privacy is not purely in their domain. In an SMB, SME that gets handed a data privacy addendum from their COO and says, “Hey, we need a baseline privacy program in place.” What would be your guidance to them?

Dimitri (29:44):

I think the key thing for them is to be able to do something, to do that automated data mapping and inventory. Start there because those powers, some of the other elements of a data privacy program. Typically, the first things that people want to do is they want to do the mapping and inventory to support data rights, so they want to provide transparency. That means that they want to be able to either get requests through email or phone or have a portal. Once they have the discovery, then you start layering on additional modules. You want to have a customer employee-facing portal. You’ll probably want to start looking or investing in assessments because assessments are things that you’re going to need to produce for regulators, maybe even your board of directors. Then you can start layering on more sophisticated requirements like consent, like RoPA, cookie management, but I would start saying that that data mapping, that automated mapping and discovery is where most organizations want to start. Again, if they want to present that self-service portal to their customers and employees, then I would invest in a portal, which BigID has one among other vendors. Then probably from there, look at things like in terms of reporting to regulators, probably starting with assessments.

John (30:58):

If you don’t have a clearer understanding of what information you have, you’re nowhere. Right?

Dimitri (31:03):

Yeah. It’s just basically kabuki theater at that point.

John (31:06):

Exactly. We beat this up pretty good. Anything we missed? Anything that you want to add in?

Dimitri (31:12):

No, I think the only thing I’ll reemphasize is to your point. I do think there’s going to be a convergence of privacy and security. In some organizations, especially smaller ones, privacy fits within insecurity, but even in large organizations, they go hand-in-hand. I think that if there’s going to be a prevailing, 10 years out, is that there’s going to be more increasing convergence between the two, especially as we move away from just legal practitioners and more to this IT problem that involves automation and looking across my data. I think more and more that the IT aspect of it will be owned by security.

John (31:48):

Well, that makes sense because you can’t have privacy without security. It’s a reliance. Let me ask you a question though. I agree with you on privacy and security. I don’t know the right term, information governance, right? Isn’t really what you’re doing information governance and I was going to ask you the question before, is privacy the Trojan horse for information governance? We’ve been talking about information governance for 10 years, especially in the law firms. Is privacy the Trojan horse for information governance and is that where we’re going and in fact, is that what BigID and SmallID are, is really an information governance platform?

Dimitri (32:28):

They are. We’ve toyed around describing ourselves as reimagined data management. 100% and I think in bigger companies in particular, you see some of that information management falling within the CDO, chief data officer responsibility. It is. In big organizations, it’s a little bit of a gray area. You typically still have these three pillars of a chief privacy officer, chief security officer, chief data officer and they have what I would describe as graying intersections. Historically security focused on unstructured data security, and then the CDOs focused on structured data, the SQL, the data warehouses, but they’re starting to do both. We see a lot of them come on the same calls. Now you may have an initial focus from a budgetary standpoint on, “Hey, we just to find the good data for data governance,” or, “We need to find the regulated data for GDPR.” I think you have these three stakeholders and some companies those three are becoming two and maybe eventually they become one, but you definitely see three today and you see increasingly them collaborating on problems of privacy because you can’t decouple privacy from data security and from data information governance.

John (33:46):

No, no. It’s really a fascinating time to be doing what we’re doing.

Dimitri (33:51):

Yeah. 100%.

John (33:55):

Give me a real world person or fictional character you think would make an amazing or horrible… I’ll go CISO, or you want to go chief privacy officer and why.

Dimitri (34:03):

Oh, fictional.

John (34:05):

Or real world. Or real world.

Dimitri (34:07):

Man, you got me on this. I’m not sure. There’s so many good ones already. I don’t know if the world needs a fictional one. Look, I think the good news is there’s a lot of talent already out there and I think certainly from a career standpoint, for those in the audience that are thinking about, “What do I want to do with my life?” the nice thing is if you have a bend towards security, there’s a great trajectory there in terms of data and infrastructure security. If you have a bend towards legal, I think the privacy profession, as evidenced by this organization, IPP, that now has above I think over 100,000 members. Certainly, if your bend is towards more information lifecycle governance, I think the work that’s happening in the data organization. I don’t have a fictional character. I don’t really read a lot of fiction. I read mostly politics, so I’m not sure if that’s the best- [inaudible 00:35:01]

John (35:00):

You could have gone Ronald Reagan, but anyway.

Dimitri (35:04):

Yeah, I think he’s more of an actor, but anyways, but look, I will say from a career standpoint, a lot of different personalities could fit and be successful in each of those three roles.

John (35:17):

Cool. If folks are interested in either BigID or a SmallID, what’s the best way for them to get some information?

Dimitri (35:26):

Sure. I don’t say this a lot, but www.BigID.com. You could also email [email protected] If you want to contact me directly at [email protected]

John (35:43):

Well, this has been fun. I very much appreciate you coming on and chatting a little bit about this. I’m excited and I want to follow up with you on this SmallID stuff because I think that’s relevant to a lot of our clients.

Dimitri (35:55):

Yeah, no, you got it. Any time, John.

Narrator (36:05):

You’ve been listening to the virtual CISO podcast, as you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.