powered by Sounder

Information governance is the solution to that irrational fear of deletion we all experience from time to time. Expert in the field and Chief Customer Officer at EncompaaS, David Gould, breaks it down for us in the latest episode of Virtual CISO.

What we talked about:

  • What is information governance?
  • Data mapping potential and pitfalls.
  • The fear of deletion.
  • Value creation and information governance.

Check out these resources we mentioned during the podcast:

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Speaker 1 (00:06):

You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security IT and business leaders. If you’re looking for no-BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John (00:24):

David, good afternoon, sir. How are you?

David Gould (00:27):

I’m fine, John. Thanks for having me on your podcast.

John (00:30):

Well, thank you for coming on, I appreciate it. So I always like to start super simple. Tell us about who you are and what is it that you do every day?

David Gould (00:38):

Sure. I am the Chief Customer Officer for a company called EncompaaS. We’re Australian based, but beginning to move into North America and Europe, where I’m responsible for the business. We have a solution that helps organizations discover information, analyze the information to better understand whether or not they need to keep it as a start. And then once, if they do need to keep it, how should it be managed going forward? It allows organizations to put retention on content. That means at the end of the retention cycle, we also help you dispose of it in a very automated way. And we’re using the latest in machine learning and artificial intelligence to help make better decisions around knowledge management, business decisions, process management, and things like that.

John (01:27):

Thank you. Before we get down to business, I always ask, what’s your drink of choice, David?

David Gould (01:31):

My drink of choice is anything with bourbon in it. I have a great selection of syrup-based add-ins that allows me to make the best Manhattans, the best Old Fashioneds, and I enjoy those on a hot summer afternoon, probably better than anything else. In fact, I had a beautiful Old Fashioned last evening in preparation for today.

John (01:57):

What is it? Carpano Antica is a really great vermouth that you can get?

David Gould (02:03):

Yeah, I actually have a bottle of Carpano here. I don’t personally like it, I think it’s too juniper-ey. I’m much more of a Dolan’s man myself, but …

John (02:13):

I have not had Dolan’s. I’ve had Carpano and I like that quite a bit. And there’s a Cherryhill bitters that you can get. There was the guy on Amazon, some nutty crazy guy, put a formula for what he called the world’s best Manhattan. And I literally traced down all of the stuff and walked into my neighbor’s house one night with a big box. And I said, “I’m here to make the world’s best Manhattans.” And I can’t say it was the world’s best Manhattan, but I could say it was pretty good. So I give this guy a lot of credit for putting together that list.

David Gould (02:45):

Yeah, Carpano’s often the vermouth of choice on a world’s best Manhattan list. And in fact, that’s how I got introduced to it myself.

John (02:54):

So I can talk about bourbon all day, but [crosstalk 00:02:56]

David Gould (02:56):

And so could I.

John (02:56):

But we can’t. But I’ll only ask you one question, give me one or two bottles that are your go-to bottles.

David Gould (03:02):

Well, actually for the mixed drinks, for like an old fashioned or Manhattan, I think Buffalo Trace is probably the best bourbon out there. Evan Williams, which is a very kind of inexpensive brand is also good for mixing. Then when you get to kind of the sipping bourbons, then you know, you go up to Blanton’s and others, the ones you can spend a hundred or more dollars on per bottle. Mostly though, my bourbons are usually in some sort of mix, that’s kind of how I like to drink it.

John (03:32):

Yeah, I agree. If you’re going to mix it, and going above $40 for a bottle, to mix it-

David Gould (03:38):

That’s a pretty expensive mixed drink.

John (03:40):

Exactly. Yeah, when I go with the sippers like my favorite go-to now, and I’m sorry to say, I’m getting to the end of the bottle, is a Knob Creek 25-year anniversary. That was a wonderful one.

David Gould (03:51):

Bourbon’s great. You know, I have a few bottles here, and my brother who never knew how to spell the word bourbon about two years ago probably has about 30 bottles in his bar right now. He’s going crazy on it. So whenever I go down there, I sample that, and they have tequila. Those are the two things that kind of keep me going.

John (04:14):

All right, don’t get me going on tequila. All right, so let’s get to why you’re really here.

David Gould (04:17):

Sure, sure.

John (04:17):

Not to talk bourbon, that wasn’t why you were invited. So you did a very good job of kind of talking a lot about what you do every day, and would it be fair to refer to that, is information governance?

David Gould (04:27):

Absolutely, that’s at the core of what we do, and it’s at the core of what I’ve been involved with probably for the last 15 to 20 years of my career, most of the time.

John (04:37):

So let’s put a definition to that. How would you describe what is information governance?

David Gould (04:43):

It’s a good question, because if you were to ask me that question five years ago, I would say it would be a thing that organizations ought to think about doing. Today it’s something that organizations must absolutely do. And the reason why I say that is that the security issues that we face in running large scale enterprises, is obviously it’s on the front page of every newspaper almost on a daily basis. But more importantly, issues around privacy that lead directly to brand reputations of organizations, being able to identify and manage the data that you need to keep, and then being able to identify and dispose of the data that you don’t need to keep. Those are the two questions that we see organizations struggling with globally, even with tools in place.

David Gould (05:32):

But it’s also surprising that privacy regulations here in the US, the California Consumer Privacy Act, was a bell ringer for many organizations. Virginia now has just passed its form of legislation. Canada has new legislation. Of course, if you do business in Europe, there’s GDPR. So these privacy regulations have put a lot more focus in on discovery, analytics around data, and then the disposition of data. And to me, that’s at the core of information governance. So organizations have to be as good about disposing of data as they are about creating data.

John (06:13):

So do you look at information governance as being a logical subset of information security? Or you could argue it’s a superset as well. How do you view it?

David Gould (06:22):

Yeah, that’s also a good question. I think many times in my past, you know, over the last 24 months, when you go into an organization that needs to begin addressing privacy regulations specifically, you start talking about what you’re doing, and say, “Oh, I should have my information security guys here.” And I’m very quick to say, “Yeah.” Information security is a part of this, but if you look at information security with privacy and you were to create a Venn diagram with those two kind of balls and move them together, yeah, there is an overlap in the middle. But we’re seeing that security is really focused in on keeping bad guys out, whereas privacy and information governance is doing much more with the data that you have inside the business. You have to assume that you have walls and things to keep people from accessing that data.

David Gould (07:18):

But the data internally is also very risky, in terms of making sure that people who have access to it are only those who have access to it. As opposed to new collaboration systems, which we’ve seen proliferate over the last… Especially during COVID, like Teams especially and others, where the primary work product that’s being done in the enterprise is being done in those applications. So very sensitive data is being loaded in there, managed in there, discussed in there, and that’s creating a whole new set of challenges from an information governance perspective that we didn’t see even 24 months ago.

John (07:58):

Yeah, I think that was a good answer. Because, you know, when I think about… I was going to ask you a question. So I was going to ask you the question, what are the key attributes, let’s say, of information governance? And when I was thinking about that, even just my questions that I had jotted down for you speak to the challenge of it being something which is between information security and something else. So classification, I’m assuming, is one part of that, which is an InfoSec thing and a management thing, if you will.

John (08:23):

You’ve got retention, which is not an information security direct requirement, but yet it truly is. Then you’ve got use, which is information security and policy around who, right. And then you’ve got disposition, which again is not strictly an InfoSec thing. Would you call those the four key elements of information governance? Anything I’m missing?

David Gould (08:44):

No, I think you’ve nailed it on the head. You know, if you were to ask me that question point blank, I would have said discovery, classification, retention and disposition, which are exactly the four things that you pointed out. So we’re seeing that very much the same.

John (08:59):

Cool. And you know, you and I chatted once prior on this and we talked about the idea that to me, I think one of the biggest impacts of privacy is that it’s going to fundamentally change our relationship with data. Because once an entity goes through a data mapping exercise, they get to a record of processing activities, and they understand where data comes from, what processes and individuals act on it, where that data is stored, which applications that data is in, and they have the ability to retrieve it, they have the ability to delete it. You know, you think to yourself, why am I only doing that with PI? Thoughts?

David Gould (09:42):

Yeah, no, I mean, that’s a great question. When I first got into the content analytics business at Hewlett Packard, where I ran that part of our business for many years, we had a solution called Control Point, and essentially Control Point allowed you to do the discovery and also the analytics on content. The tools we have on EncompaaS take that and bring it to a much greater depth of capability and functionality; almost on steroids, so to speak. But I think this is an issue that organizations still struggle with, because, yeah, there’s real challenges on this and it’s not necessarily about fine avoidance, it really goes to the heart of brand reputation.

David Gould (10:27):

If organizations don’t do a good job at assuring their customers and their employees that they’re taking good care of the data, that they’re proper custodians of that data, I think that’s where your problems come. And it’s not just about paying a fine, it’s really, do I trust you or not? Do I want to entrust my financial information with you? Do I want to entrust my health information with you? And unless organizations can demonstrate that, it’s creating a whole new set of challenges.

David Gould (10:58):

And it’s been also pretty surprising that, you know, in working with the largest consultancies and advisories in the world, and also talking directly to C-level managers, executives at large enterprises, brand reputation is probably the number one issue that has to be addressed here. Organizations can’t fundamentally provide good service to customers without a strong brand in the background. And that strong brand is not only based on marketing spend, it’s based on how you treat information and how you judge information, and how you allow organizations to access information. While those things aren’t really apparent to consumers, they really add up behind the scenes and it comes screaming out the other end if you don’t do a good job.

John (11:44):

Yeah, I think that relates to, I know I’ve heard you speak before, and I know that you always talk about the three questions that you like to ask a client.

David Gould (11:52):

Yeah, and those three questions are, how are you identifying content that has risky or high value information today? What kind of processes do you have in place to manage that information? And most important, what are your disposition policies of getting rid of the content that you don’t need to have? And that really is probably the biggest problem organizations face today. It’s really, really hard to hit the delete button. And it’s not hard to hit a delete button just because you can’t press the button hard enough on the console to make the information disappear, there’s a lot of policy, there’s a lot of process and there’s a lot of ownership of information. “Hey, that’s mine.” “No, it’s not, it’s ours.” And so you get a lot of that within organizations.

David Gould (12:41):

And the other thing is, is that information is strewn about. It leaks into personal devices, it can be found in database applications, and it can be found in data lakes. It can be found in test data management kinds of applications, and it can also be found in things like Slack and like Teams and shared drives all over the enterprise. So it’s really a broad map that organizations really have to have a good understanding of what’s out there. And many times they don’t have that answer. And when they do have that answer and they say, “Okay, I know where my data is, and I know what’s valuable, what’s not, maybe what’s sensitive and what’s not, but how… Can you help me delete that data?”

David Gould (13:26):

We have a consulting arrangement with one of the world’s largest banks, and we’ve been working with them for two years, and we’ve just been able to delete the first batches of data. It’s a financial services institution. And it was a major celebration, it really was. We had a party over being able to actually hit a delete button and watching the data disappear. Because all of the processes that we helped this organization develop, all of the attributes that we had to develop, all the policies that we helped them develop, finally came together in one quick push of a delete button. It was actually pretty cool.

John (14:02):

Yeah, you know, I think one of the bigger problems there is fear, and I’m never afraid to tell tales where we look bad, and you know, right now, literally this afternoon, I got an email from one of the folks on our team saying, “Just a reminder, this Friday, we’re scheduled to delete this group of data. And there’s 45,000 files.” And you know, I have to be honest with you, I’m struggling with, I’m like, “Whoa, whoa, hold on a second. Did we get approval from everyone? Has everyone looked through …” Like, there’s this irrational fear of deleting this data.

David Gould (14:37):


John (14:38):

And I’m not a pack rat. I know there’s a lot of people with pack-rat mentalities. My wife thinks I’m the opposite of a guy with pack-rat. I throw crap away all the time and then she gets mad at me what I threw away. So I’m not a pack-rat, and I still struggle with saying yes to deleting data. We have a law firm client that’s got a warehouse that has records in it from 1890-something.

David Gould (15:00):

Right. I’ll tell you an anecdote, which is kind of funny, but it also, in my mind, really explains the situation. There’s one of the largest banks in Europe. They’re based in central Europe. I don’t want to spend too much time defining them because someone will figure out who I’m talking about. But they went back to 1947 and they had paper records for all of their clients, and they decided that they weren’t going to keep the paper records any longer, because they were degrading in quality and all of that. But they needed to keep them, so they digitized those records. And it came out to about 180 petabytes of content.

David Gould (15:41):

And at the time I was working for Hewlett Packard, and this client went to our main competitor, which was IBM, and they asked IBM, how long would it take to classify all of the data that we’ve digitized? And the first answer came back, honestly, 75 years. So I had a really enterprising sales guy call me up and he says, “Hey, IBM says they can do this in 75 years. How fast can we do it?” And I said, “Oh, you can do it in 35 years.” You know, as if it was going to make any difference, because nobody was going to be around.

David Gould (16:15):

But look, I mean, there’s massive amounts of data out there, and the question, it used to be that storage was cheap. Yeah, I get that, and yeah, you can create data of anything. But the reality is in the United States, the courts used to punish organizations for actually deleting data, not having it available. That paradigm has gone 180 degrees. You get punished now for not deleting data. If you go to court and somebody says our retention period on this piece of content is 10 years and you still have it in your enterprise, you might as well start writing the biggest check you can possibly make, because you haven’t been able to demonstrate legally that you have policies in place and you’re actually following those policies to actually delete data.

John (17:02):

So crazy question. Are information security consulting firms like Pivot Point, actually part of this problem? Because, you know, we do risk assessments every day, we’re helping organizations manage information related risk. And I don’t know that we do a good enough job of typically citing what I’ll call information governance risk, or information retention, risk. I mean, is that part of the problem here?

David Gould (17:23):

Well, it’s only part of the problem if you haven’t invested in expertise around that element. You know, I mean, retention laws really relate to the CFRs that the government has in place to govern all sorts of activity. Information security, yeah, there are laws on that that you have to protect things because every organization is different. I think most consulting firms do a really good job at helping organizations build those walls internally to keep bad guys out, and in some cases to keep certain parts of the organization from accessing information that’s custodianed in another part of the organization. Where most consulting firms don’t have really strong expertise and it’s still dominated by law firms, is in the area of retention. Because retention relates to legal citation and legal citation spells this out.

David Gould (18:17):

The trick there is how do you take literally tens of thousands of retention laws and figure out how do they apply to the data that you have stored throughout your organization? That’s really where the tough issue arises. And, you know, we do work with a couple of firms and there’s some firms out there that have applications which tell you what the laws are of retention, but really the last mile is how do you connect those laws to the actual data? And then how does that tag help organizations better manage the data through its life cycle and make sure they are hitting delete on the day the delete button needs to be pushed.

John (18:59):

So I think most of our conversation at this point has sort of been, so you know how COBIT views the world as risk preservation, so value creation versus value preservation.

David Gould (19:14):


John (19:14):

Right, so value preservation is risk management, right? So, and I think most of the conversation at this point has been about risk management. Is there also a value creation business enabling component to good information governance?

David Gould (19:26):

No, I think there’s two other things that would make up the perfect bar stool. Since we started talking about bourbon at the beginning, I thought a bar stool would be a great analogy here.

David Gould (19:36):

So you do have that preservation leg on the bar stool, but you have a cost leg. And I have commissioned organizations to actually study what it actually costs to manage information, especially on the unstructured side. And this was four or five years ago, we did a pretty in-depth study, and then the answer came back, it’s $25 a gigabyte basically to manage information on-premise. Well, somebody says, “Well, I can go down to Best Buy and I can buy a two-terabyte hard drive for $99 and plug it into my PC.” The reality is the cost of storing the information is only about 12 to 15% of the overall cost. The other 85% relates to the people who are involved, the policies that have to be enforced, the infrastructure that has to be built and managed, and all of the operational costs, that’s where you really save money. So that cost leg is also important on the bar stool.

David Gould (20:38):

The third part of the bar stool is productivity. So how does information governance support productivity? Real simply. The more you classify information, the more you analyze information, the easier it is to search, and it gets you back the right answer, for anybody doing some knowledge management application at work, answering something from a customer, whatever. So the better you have your data in store, the more classification you have on that data, whether it’s structured or unstructured, the better your search is going to be, which really goes to the heart of productivity.

David Gould (21:15):

I mean, think about how much time everybody spends during the day looking up stuff. So if you could take 15 to 20 to 30% of that time, because the data is better classified and eliminate that, any expert on productivity would grab that kind of metric in a heartbeat and put it into motion.

John (21:36):

Yeah, and I would imagine another place where part of that cost of the $25 per gig would come in, would be e-Discovery costs, right?

David Gould (21:43):

Yeah, that’s factored into it, yeah.

John (21:45):

Yeah, because e-Discovery is a nightmare. You know, I know of organizations that are just taking a ruthless approach to emptying people’s inboxes on their mail and everything, just for that e-Discovery cost perspective.

David Gould (21:57):

Yeah, I’ve worked with some very large organizations and the primary driver behind the reason they needed to put better retention management on data, was strictly to support the rediscovering cost. I mean, this was one case, it was one of the world’s largest automotive manufacturers, and we were storing most of their car crash test data in our application. And the reason we stored it was for e-Discovery purposes primarily, but secondarily also for productivity where the next generation of brake designers could learn what the first generation of brake designers had worked on, on a specific car or a specific model.

John (22:36):

So, is information security a misnomer, if you will, if we don’t have information governance? Because I mean, at the end of the day, I always look at information security, the first thing we need is a clear vision of what it is that we have and what we’re trying to accomplish. And if we don’t have that clear vision, if we don’t know exactly what data we have and exactly where it is, which is what information governance is going to give us, if it’s not appropriately classified, can I truly have information security?

David Gould (23:03):

My answer would be no. And I think that answer is kind of in the majority, it would be in the majority of most people that you talk to today. But if you were to ask that question two to three years ago, I would think, if we do a great job on keeping the bad guys out, it really doesn’t matter what we’re doing internally. And look, I mean, to your point, John, I think when we go in and talk to organizations about automating all of this, the number one question that they have is, where do I start? Because they know one thing more than anything else that they have a lot of data and they don’t know where it is.

David Gould (23:40):

And if you think about that from an e-Discovery perspective, if you think about that from a cost management perspective, or if you think about that from a productivity perspective, yeah, security is a driver. But it’s really a much bigger issue than just making sure that you have controls over who can access information and in what ways.

John (24:02):

Yeah, and I don’t think it from any of the perspective, I think from the perspectives you talk about, but the perspective I focus on is risk management. If I don’t understand, like, you know, if you think about it, there is a significant movement when you get to PCI and the CMMC. Increasingly, you know, we’re moving towards the fundamental principle zero trust, which are being driven now by the NSA, DHS, the executive order last week, right? So in a zero trust architecture, what’s the first thing we have to define, right? The threat surface, or if you think about it from a CMMC perspective, we call that an enclave, right? We enclave our CUI.

John (24:35):

So the reality is that if I don’t know what data I have, and I don’t know how to classify it, I don’t know how to protect it. So yeah, I think of it from a risk management perspective, and here’s a question for you. So I think information governance is coming. I think, unfortunately right now, our conversation and my conversations with clients, are very educational. It feels like an educational sale, if you will, if I can use that term.

John (24:59):

What do you think is going to be, I mean, I think we both can look forward and say at some point in the future, three years, five years, 10 years, whatever, information governance will not be something that people are wondering about, it’s something everybody’s aware of. What is going to make that happen? And how far out is it before you think information governance is not something which is on the horizon, but is something that’s sitting right in front of us, that’s active for all of us?

David Gould (25:23):

Well, I think that’s a great question. And in many ways I think a lot of that information governance, that I have a very dear friend of mine, who’s the head of information governance for a large state agency, and he’s always talking about the Nirvana, and the shiny new tool. So I think a lot of that recognition that information governance is important is there. I think up until now, one of the limiting factors was that the technology that was being deployed to buttress or support, or be the foundation for information governance programs, were actually quite limited. And they were limited based in terms of the sheer scope of what they could analyze. They were limited in the kinds of analysis that you can do on it. And I think a lot of the things that are being done at top-level DHS kinds of accounts, the NSA, CIA, a lot of the technology that’s being deployed in very secretive fashion, a lot of that is starting to be commercialized now.

David Gould (26:27):

And that technology is all about analytics. How do you analyze content? How do you put context around it? Does it belong with this part of content, or does it belong with another part of content? And now I think we’re just starting to see the benefits of these new technologies being applied to information governance applications. And yeah, I think there is a lot of education that still needs to go on, but I think the underlying assumption that people have is that they understand they have a problem, they just don’t understand the scope or the complexity of how to solve it.

David Gould (27:06):

And I think it’s been things like GDPR, like CCPA, like the new Virginia Act, what that’s going to cause is, result in, is organizations like yours and others getting really smart, doing the implication analysis of what those laws really mean. And I think the consulting piece of it is out there, it’s really the automation piece. You know, is it good enough for me to hire a high powered consulting firm, spend a quarter to a half a million dollars or more, to get the binder on what my policies ought to be? In the old days, that was good enough. You would go into a regulator’s office of a large bank or a financial services, and they would say, “How well are you managing your security?” And they’d turn around and they’d point to their bookshelf and say, “Look at all my binders on this.”

David Gould (27:56):

The problem is, is how do you take what’s in that binder and actually automate it and then actually put it into a process that doesn’t impede on an organization’s ability to do business, but does it in the background, but it has to get done. The volume of content is so high and it is so complex, you cannot outsource this. For example, I worked with a bank once and they tested us. They say, “We want to look at your automation tool, but we also have a team in India who are specialists in this.” So what do they do? They took a 10,000 page document, they gave it to us to analyze with machine learning. They took that same document and sent it to their folks in India. And they looked at speed of response, accuracy of response, and value created out of that. And hands down, the automation piece won.

David Gould (28:49):

I mean, it just wasn’t happening. Even to trained organizations who have trained people to do certain things. So clearly it’s that willingness to take that next step. And I think information governance will do better if you can relate it to the productivity and the cost issue as well, because people want to know what the ROI is, always. And unless you can provide them some metrics on this, and the easiest ones are to do costs, the $25 a gigabyte cost, for example, you know, those are the things that will help sell the story. But the need is really being created by the privacy legislation that we see popping up all over the world.

John (29:30):

So, and that $25 per gigabyte is annual?

David Gould (29:34):

Annual costs, correct.

John (29:36):

Yeah, makes sense.

David Gould (29:36):

That’s not cloud, that’s information that’s stored on-premise. And that’s unstructured content. You know, structured content could be even more expensive than that-

John (29:46):

Yeah, DBA costs.

David Gould (29:48):

Yeah. Well, yeah, DBA costs, but you have non-production environments, you have four or five of those, and then the biggest sieve that we see in the privacy laws, is organizations doing, regulating the structured data, is things like test data management, because you have to test your applications with format preserved. And so what a lot of organizations were doing was just taking a copy of a database, sending it to somewhere, and they were doing all of the testing on it.

David Gould (30:17):

Well, that data out of your own hands is like taking your password list and sending it in the US Mail. You wouldn’t do that, and nor should you be sending unadulterated databases to a third party for test data management purposes.

John (30:33):

Right. Fortunately that’s gotten a lot better than it was. Still not perfect, but I mean, in the old days, you know, how we going to troubleshoot problems if my developers don’t have full access to prod data?

David Gould (30:44):

Right, right, right. You have seen a lot of improvement in format preserving encryption kinds of applications, and that solves it, but it still doesn’t address the issue of retention. And then that’s the other part. So A, it’s test data management is one application where you have issues. But the broader issue is how do you keep this information alive to only its purpose and then destroy it when you need to? And these privacy laws have different sorts of requirements around that, depending on the jurisdiction. But they all involve one essential component, and that is, you’re really not allowed to keep information that’s no longer attached to an active business process, unless it has to be kept by retention law. So that is a very, very complex concept and it is very hard to be able to go through a piece of information and say, okay, this information has retention on it, or it may have legal hold on it, but it’s not being attached to an active business process. Do I keep it or don’t I keep it?

David Gould (31:48):

And that’s where good policy and good process comes into play, and hopefully organizations like yours do a good job at providing that sort of advice. But then once you have that advice present, how do you actually automate the actual management of that data?

John (32:03):

Yeah, operationalizing information security like operationalizing information governance is always the big challenge. It’s easy to design it, it’s hard to get it operationalized.

John (32:13):

So this has been great, thank you.

David Gould (32:14):

You’re welcome.

John (32:15):

And I think information governance is a fascinating field and I really do look forward to seeing what happens over the next couple of years. I do think that privacy will drive us to information governance, I just don’t know the exact timeframe yet. So I always like to ask, hopefully you prepared, because you’ve been good to this point, David. What fictional character or real person do you think would make an amazing or a horrible CISO? Or if you want to use the information governance professional, and why?

David Gould (32:39):

Well, I’m only influenced by my grandson, and since I spent time with him on Saturday, I would have to answer Buzz Lightyear, I think, would be the ultimate CISO guy. Because they’re dressed up, they look like they’re on top of the world, they certainly provide the aura and appearance of it, and essentially they’re some sort of superhero, so I think any CISO has to be some sort of superhero. And I think if you look at some of the current events over the last few weeks, the superheroes have let us down a little bit. That meat packing company that had the problem, well, they didn’t have two-factor authentication, you know, so they really hadn’t done the homework on building up those right security barriers. So maybe that’s a case where Buzz Lightyear could fly in and help somebody like that.

John (33:27):

And who wouldn’t love the catchphrase for information governance, “To infinity and beyond!” Right?

David Gould (33:33):

There you go. For an unrehearsed answer, that’s pretty darn good, John.

John (33:41):

I may be a closet Toy Story fan.

David Gould (33:46):

Yeah, there you go, there you go. There you go.

John (33:46):

One, two and three. I’m trying to remember if I’ve seen four, but one of the best sequences of films I think that have ever been produced.

John (33:53):

All right, so last question. How can folks get in contact with you if they want to chat about information governance and what EncompaaS might be able to do for them?

David Gould (34:02):

Sure, thanks for that. It’s David.gould, G-O-U-L-D, @, and here’s where it gets a little bit tricky, Encompaas, So, EncompaaS is an acronym for enterprise compliance as a service. So that kind of is the reason behind we spell our name a little bit differently. So it’s EncompaaS,, and I’ll be glad to have a conversation with them, understand it, and really most of all, do a good job listening as to what kind of business problems need to be addressed.

John (34:39):

Cool. This has been fun, man, thank you.

David Gould (34:40):

Thank you, John, I appreciate it.

Speaker 1 (34:42):

You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at And to ensure you never miss an episode, subscribe to the show in your favorite podcast player.

Speaker 1 (35:01):

Until next time, let’s be careful out there.