George Gerchow: The New Age of Data Privacy
"Data isn't just the lifeblood of security, it is the new currency"
Welcome to the Masters of Data podcast, where we talk to the people on the front lines of the data revolution about how data affects our businesses and our lives.
Sometimes it feels like we’re living in a really scary world today. We’ve been happily searching away on Google, Instagramming our life, and sharing on Facebook, all with an expectation that we have some control over our own story. It’s not like we don’t know that there are some “big brother” actions going on, but it doesn’t really penetrate the veil of our everyday work or our personal lives. It feels like that’s changed now for a lot of us.
The revelation of Russian hackers influencing our election and Facebook data being used to manipulate our voting patterns are just a few of an endless parade of stories about yet another company being hacked. It’s offering us the pittance of credit monitoring software to make up for the loss of our personal information. It’s in that context that we’re going to talk to George Gerchow today, the chief information security officer at Sumo Logic.
George and I did this interview during one of the biggest security conferences on the planet, RSA, and in the midst of a lot of noise about data privacy. In particular, a lot of people are talking about the new privacy regulations coming out of the European Union, the General Data Protection Regulation (GDPR).
George Gerchow’s Journey to Information Security
You are the chief information security officer at Sumo Logic. You’re working in security at one of the cutting-edge companies in Silicon Valley. How did you end up where you are? Where did you start?
That’s actually a really good question. I was at VMware, where I came through an acquisition, and I was a “double boomerang” there, which means I was there twice within four years.
When I was there, I enjoyed my time that I ran the Center for Policy & Compliance, where we did heavy content around security and compliance, especially related to fear and cutting-edge workloads.
Think about where we’re at now, we’re a cloud-native company. We’ve built on microservices. VMware was there 10 years ago. They were on the bleeding edge of technology at the time.
An interesting thing happened to me though. Right around 2014, everyone was talking about AWS and cloud, and security people like me were actually telling people not to go to the cloud because the workloads wouldn’t be secure.
In fact, I had a saying:“If it’s core, it stays on the floor!” Now people yell that out to me all the time. I’ll go to a conference and people will say, “Yeah, cloud! Microservices CI/CD.” Then some people will say, “What happened to, ‘If it’s core it stays on the floor,’ Gerchow?”
I wanted to work for a bleeding edge company. I wanted to be in the Valley and the opportunity to work with great people at Sumo came up, so I took the job and I have no regrets.
Data Is Currency But What About Data Security?
As part of you being a Chief Information Security officer, data is the lifeblood of security. Can you talk to me about how data is part of your every day?
You just said it, it’s not just lifeblood, we call data “currency.” It’s such a great point because, in the past, you would have to do security half-blind. Your budget was dependent upon how much data you could gather. You’d realize you can’t afford to get those logs so you and your team would have to do the job half-blind.
Now we’re starting to move into this position where the more data we get, the more resilient we can be. We can use historical information and current analysis to predict future trends. Now is the time to build data links and start really investigating a multitude of data across different types of workloads.
Data is lifeblood and it is currency.
The more data we get, the more resilient we can be.
One of the things that has been coming up in the news a lot recently is data privacy. What has really changed about data privacy in the last couple of years?
I think people are becoming aware. People are starting to realize that every motion on the internet is data that’s being gathered about you to either market to you or to hack you. Sometimes, it’s both of those.
It goes way beyond the enterprise. It goes down to personal use. You could be out with your kids somewhere and check in on Facebook and tell the world, “Hey, look how cool my life is. I’m here with my family doing all this stuff!” All of a sudden, that’s being used against you.
Every motion on the internet is data being gathered to either market to you or hack you.
Before, people warned you not to check in to certain locations because then people know you’re away from home and they can rob your house. But now, it’s also that companies know how to market to you, how you’re using your data, and what your family structure looks like. Then that information is being sold. It’s pretty scary. A lot of it starts with the current administration, not to be too political, but the fact that now the current administration today is allowing these telecom providers to sell and use your data as well, that’s really, really rough.
Improving Your Information Security
We’re seeing more security threats, like Tor Proxies. People calling users like my parents, who are in their seventies, are using Tor Proxies to be able to protect their identity.
Tell me a little bit more about what that is because I’m not sure everybody knows.
A Tor Proxy is a way of masking your identity. It’s like being behind a VPN within a VPN. Before when you saw a Tor Proxy pop up, we were able to detect with some of our threat intelligence information that it was something unique. It was either someone who has malicious intent who was trying to remain anonymous or it was a security professional who was trying to be anonymous.
Well, now you’re seeing everyday users do it because they’re trying to protect their identity, which leads me to GDPR, Government Data Protection Regulation, and it’s about privacy. All this starts and ends with privacy. Privacy is what everyone on the planet cares about. GDPR is just the beginning. Japan just released their own version, Privacy X. Everyone is starting to go down this path.
Improving Data Privacy, Worldwide
Is GDPR just a European thing or is it bigger?
It’s huge. It’s worldwide. Because if you do business with any country or any company that does business in EMEA, or if you have partners that do business with any companies or customers in EMEA, you’re now held under the regulation.
Wow! I didn’t realize that. So, it really does have a pretty wide effect. And, it’s about they come into play now very soon?
Yeah, May 25th of 2018 is GDPR D-Day
People are freaking out I assume.
Yes, exactly. Last year, Jen Brown, our DPO or Data Protection Officer and I were were wondering why other people aren’t looking into GDPR. How come other people aren’t looking at all the different articles, going through their business processes, the handling of data and then going through the Data Protection Agreement (DPA). Then we both said, “You know what, wait until January 1st, 2018 and panic is gonna set in,” which is exactly what happened.
It does seem to be coming up a lot more. I don’t think many people knew what it was just a few months ago and now it’s all over the internet.
It’s exploding. I don’t know if you know this or not, but we created a self-service portal at Sumo Logic. The self-service portal allows prospects and customers to come in and answer their own security questions. They can look at our certification association results on there under NDA.
So, it’s under NDA wrap, but we also put a DPA in there, where they can download it, sign it, and then it goes back to our legal team. That DPA is by far the number one downloaded document at Sumo Logic and it’s only been alive for two weeks. We had over 160 prospects and customers without any outside publication or training rely on it. DPA by far is the leader.
Wow! I have definitely been hearing more about this recently because of everything that’s going on and the public’s fear. Zuckerberg was in front of Congress thinking about hackers, people misusing data from Facebook. Honestly, it’s getting a little scary. How do you see that from your perspective doing what you do?
You’re right, it’s scary for us. I want to make sure all of our customers’ data is protected. We had a real advantage because everything in our environment was encrypted anyway. But then we’ve had to do some tech things that go beyond that; things like Data Loss Prevention (DLP), which is something we didn’t have before, or like really going through with every line of business whether it’s HR or marketing and deciding how to handle data.
Think about it from an HR perspective; we’re hiring in AMIA. All of a sudden we have someone from AMIA that’s coming on board, what is the process for those applicants, for protecting that data, which leads to the most hardcore part of it, which is right to erasure.
The Risk of Data Privacy and Social Media
Going back to something you had said before too, it seems like there’s a growing recognition of this. I listened to some of the excerpts on NPR about the Zuckerberg interviews and some of the questions being asked just amazed me. I think it’s representative of the wider American community. I don’t think many people really understand this at all. They don’t understand what they’re giving away and what they’re putting themselves at risk for.
It’s not “free.” I’m gonna give the younger generation a ton of credit right now, teenagers noticed this trend a few years ago. They were on Facebook when they hit a certain age because their parents were wanted to see all the cool things they did growing up. Then they decided Facebook was not for me because there’s just too much information. Their parents could see everything they were doing. So then they went to Instagram, then Facebook bought Instagram.
Now, they’re all on Snapchat and Snapchat was really created around privacy. I’m a Snapchat user because my kids are on Snapchat, and you can actually tell if someone does a screenshot of one of your snaps. You can’t tell who’s watching your video, your snap. So, being a third party, even though you follow me, you can’t tell if someone else is liking my stuff or seeing it. It is based on privacy. I think younger kids today are already getting this notion, whereas adults, we’re learning this lesson the hard way.
It reminds me of hearing the interviews with Orrin Hatch asking Zuckerberg how they made their money, what their business model was. He responded, “Sir, we sell ads.”
I don’t think he’s the only one that doesn’t realize that. I think that’s really fascinating. These younger kids have grown up being connected 24/7, pretty much their whole lives now.
If you take this back to the enterprise now, it’s almost the same thing. When you and I were talking about doing this interview, you were kind enough to send the invitation via Slack. So, we’re leveraging Slack, we’re leveraging email, we’re leveraging text messages at work. All these different communication mediums that we’re using and where is that data going? How is that data being protected? Who can use that data? Who can resell that data? There’s a lot to be considered there.
I always love that metric that’s been quoted: By 2020, there will be 16 zettabytes of data. That’s like watching the whole Netflix catalog 30 million times back-to-back! It blows my mind. You and I have been in this industry for a long time and the slapdash way that people still handle their data is both ridiculous and frightening at the same time.
By 2020, there will be 16 zettabytes of data. That’s like watching the whole Netflix catalog 30 million times back-to-back.
It goes back to what you said, a lot of people just don’t know. It’s a generation thing. It’s an education thing. It’s funny to me that one thing that’s been instilled in our team, one of our mantras is agility. Who would have thought that a security team would say we have to be agile? The reason why we have to be agile is because there’s so much data coming at you from so many different data sources, and you have to automate all of this privacy and technology functionality on top of it, just to be able to keep up with the data. It’s insane, but I do believe that. I believe that security teams today have to be agile.
With so much data coming from so many different sources, security teams today have to be agile.
The Future of Data Privacy
Tell me a little bit about where you think this is going. What are some big changes and trends you’re seeing and talk a little bit more about the public level in terms of policy.
Day-to-day right now it’s really, really hard to keep up with all the emerging regulations. And, let’s face it, you may or may not care. I care about privacy. You care about privacy, but you may not care about an individual regulation that affects a certain part of the world.
The whole idea is to build a deep, mature privacy program, measure regulations against it, and then do a gap analysis on the risk of moving forward into this regulation. Or you decide it’s worth the risk and that you won’t remediate.
But a mature privacy program sets you up for success no matter what the regulation may be, then you can do a gap analysis for remediation if you want. But the important part is just understanding the flow of data. If you can get a handle on the flow and control of data, you’re going to be further ahead than most people.
One of the things I’ll say is you’ve got to automate everything. Like that self-service portal, that literally automated an FTE, completely. So, when I go to the CFO and I say, “Listen, we’ve automated all this functionality, but we’re getting this much pressure coming in because of privacy.” then I can establish another FTE to automate some other things as well. Because this whole thing has got to be automated. If you’re going to be agile, you can have manual intervention when it comes to privacy and protection of data.
If you can get a handle on the flow and control of data, you’re going to be further ahead than most people.
Yeah. You’ve got to apply the human intelligence and human experience at the right points, not in doing things that are basically repeatable. It makes a lot of sense.
Public Policy in the US
Tell me a little bit more about some of the public policy stuff that we’re talking about. Based on your experience, where do you see that going? Are we going to see GDPR in the U.S.? Do you think things are really turning around? Because this is something people have been asking for a long time.
This is a political thing you’re asking me right now because I’m gonna upset some people. In some ways, the U.S. is way further ahead. I’ll give you a great example. Data breach notification wasn’t something that was instilled in Europe at enterprises. So, if a company got breached, they didn’t have to tell anyone because there was nothing like PCI, like SOX, or like HIPAA forcing it out. We’ve always been pretty good about that.
Now, there’s been a lot of companies in the news lately who have been slow about announcing their breaches. For the most part, everywhere I’ve worked, has had a data breach notification program. So, the US has been pretty good about it.
I think there’s going to be one common global privacy regulation that attacks PII no matter what nation you live in because we can’t cripple the way we do business with each emerging privacy regulation.
Think about Spain. There’s like five different factions in Spain and each one of them wants to break off and start their own privacy regulation. Now, multiply that across each country in Europe, then multiply that across each country in Asia. Where are we gonna be? It’s like the way we work from a federal perspective to a state perspective. We’ve got to do more things at that top line level.
So, I think it’s gonna get worse before it gets better, but then, eventually, there’s going to be some overarching policy.
Yeah, maybe it takes something like what’s been going on with Facebook and the Russian hackers in the election to really change how people are thinking about things.
Yeah, absolutely. It could be. Public awareness is a good thing. We’re seeing it now in the media with things like Facebook and it’s just going to increase from there.
Here’s one of the parting thoughts I’ll leave you with. June 1st of 2018, somebody, and I feel sorry for whoever it is, is going to get audited by the European Union via GDPR. It’s going to be nasty, we’re going to learn a lot, and then we’ll improve from there.
Yeah. Well, George, I really appreciate you taking the time. As always, I love talking to you. This has been a lot of fun.