E138 - Sandor Slijderink. Expert CISO, All Things Information Systems

Jun 27

Find your Podcast Player of Choice to listen to “The Data Diva” Talks Privacy Podcast Episode Here

48:57

SUMMARY KEYWORDS

people, data, security, cybersecurity, privacy, information, chat, ransomware, put, companies, cloud, ai, thoughts, money, focused, gpt, cyber, firewall, printing, years

SPEAKERS

Sandor Slijderink, Debbie Reynolds

Debbie Reynolds 00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show, Sandor Slijderink. He is an expert, CISO says, "The Data Diva". All things information security, he's an educator, someone that I've known for many years on LinkedIn; I very much appreciate all that you do, the information that you put out, you know, so I was really excited that you agreed to do this podcast and I would love for us to be able to chat and be able to share your work and your journey. So why don't you tell introduce yourself to the audience? We'll start there.

Sandor Slijderink 01:15

For folks that don't know me, I've been doing this for about 30 years; from floppy to fiber, I recently started to kind of acquire and adopt that kind of little slogan, catchy little catchphrase, but I've done everything. I mean, I started off with bulletin board services and dealing with major BBS software and understanding telecommunications and operating systems coding programming languages. Up to now with the latest and greatest firewalls, fiber policy GRC. And you name it, I've done just about everything from, you know, from, you know, digging in the trenches to, you know, being a CSO twice. And I have learned a tremendous amount along the way from people like yourself. Included, you've been one of my mentors from afar, so to speak. So it's glad it's an honor to be here with you.

Debbie Reynolds 02:19

Oh, my goodness, that's so sweet. You're one of these people. I mean, you're like a Ginsu knife of cybersecurity. So, like, you know how to cut through kind of the difficult issues, you know how to really communicate, what these people really need to know; I think you and I want your thoughts on this. I think people are confused about cybersecurity, mostly, in my view, because they don't understand that it's so diverse, right? It's not just one thing; for example, let's say someone says they're a doctor you don't assume, you know, not all doctors do all things, right? But for some reason, when you say the word cybersecurity, people think you do everything. And that's just not true. So, tell me just a little bit about the kind of way that you describe what you do and the way that you tell them about cybersecurity.

Sandor Slijderink 03:32

So for me, I love using analogies. So I think it helps people to kind of click and understand. But I look at cybersecurity as kind of like a vehicle; okay, you've got a car, and each component of a vehicle has a different function and a purpose. Now, you have mechanics that work on this cybersecurity vehicle, right, but they don't work on the entire car; some will work on just tires and wheels, some will, you know, then as they progress, they'll get into the brakes and then the axle and then maybe the transmission. Others will go the other route, and they'll start with windshields and, you know, body in frames. Others will start with, you know, focused on maybe the engine and the transmission and air conditioning systems. But in the end, you can't really have one person that can build a car from scratch by themselves. It takes an entire team to really design and develop prototype market and, you know, eventually produce for the masses, a cybersecurity vehicle. The same function goes within cybersecurity; you know, there's a lot of us. I'm not a strong programmer. I don't deal with a lot of programming languages. I can read code, and I can tell you what it says and what it does. But my focus having started was, you know, more On initially with networking, telecommunications, and then digging into operating systems as I grew along, and then working with compliance levels, so what you need to do here in there, so, you know, there's top, there's, it's going to be really hard to find someone who's an expert on the entire cyber security aspect. And so, for me, I've just chosen a few simple things that I push out kind of my Big Mac, so to speak. Yes, I can do nuggets and fillet of fish and cheeseburgers and everything else as well. But my Big Mac is, you know, focusing on understanding why and what you need regarding information security, which includes Data Privacy.

Debbie Reynolds 05:45

Right? You did a pulse recently, you call me out, and you have actually did a pulse a couple of different experts in different domains. And I love what you said about me, the car, you said data, data, data, Data Privacy, and I think that's probably very, very apt. Because I am a data person, I just decide to specialize in privacy. Because I think that's where I have the most impact. I think, for cybersecurity, when I'm thinking about the threats that are that we face today, we're not ready. So people, companies, and I think we were chatting about this a little bit before we started recording, especially small to medium-sized companies. They're just not in the right headspace, for the most part, in terms of what they need to do about cybersecurity. And part of that, I think, is this misidentified thought that somehow cybersecurity is only like firefighting, or you only do it when something bad happens. So tell me a little bit about that issue and cyber.

Sandor Slijderink 07:07

So especially with small to medium-sized, the larger organizations have adopted and hired individuals that know how to, know, create, design, manage, and flow a cybersecurity program within their organization. They've got industry experts, they're surrounded by people, who know cyber, who know it, who know physical security, information security, the whole nine yards, the small to medium-sized businesses, you know, and I've been one of those, a small business provider of security services. But when you're looking at it, as an entrepreneur, let's say you're going to start up a printing press, you know, everything about printing, and how to push that printing material out and market and everything else. That's what you're focused on, you're focused on making money off of what you can do and what you have. Oftentimes, it comes at the end of the first year, and all of a sudden, you know, the Franchise Tax Board or the IRS sends you a letter and says, Hey, you owe us money, you know, you got to pay us. And now all of a sudden, we have to learn a whole new realm. Well, the same thing happens for information security; they don't realize all the information they've been generating week after week, day after day, month after month. The contacts that they have at different, you know, maybe publishers clearing houses, or book production, you know, book companies, or authors and people reading readers who wanted to buy their, you know, whatever they're printing. So their mind is focused in the usually a small shop, you know, usually two to five people kind of a thing for the first year. So unless something you know, unicorn happens with them. But for the most part, that's where most small businesses start at. They're not there mindset isn't about security at all; their mindset is access and sell, sell, sell, sell. So let's make money so that we can get a bigger building out of the printers. It's now four years down the road, and you know, what, our printing machines are about to be obsolete; we need to get a new one, or do we spend that money on a cybersecurity program? Well, if you're putting it at that, you know, do I pay for my car to get fixed? So I get to and from work, or do I pay for the medication that my youngest needs? So that they don't have epileptic seizures anymore? You know, which do you put off, which do you put on the back burner and the front burner, and this is the decision you see in small and medium-sized businesses is, you know what's going to make me money because I've got a car payment, I've got a house payment to come up. My oldest is going to college, I need an extra few $1,000, and I need it now. And we always need that we're always going to need that extra couple $1,000 We're going to be chasing that extra couple $1,000 Even as a Fortune 500 with small to medium-sized businesses, they're not seeing how much money an information security program can make them. The same printing press, you know, let's say you, you know, want to start printing material for the Department of Defense; they need pamphlets, they need little cards, they need things to work with. Well, if you don't know that you need to get CMM C 2.0, certified level one, even just to make the, you know, the business cards and the pamphlets about where to go and what to do, or the contracts to DD 214 paperwork, whatever. They're not going to get those jobs. So now what you look at is, you know, you find someone who can, they need to find a way to integrate information security, so that it's not just a burden. And that's what they're truly looking for is trying to find a way to make it not a burden of financial cost, but a financial plus. And a lot of times, it's because they don't see it, it's because we fail, we fail to show them that there is a way to increase your profits to solidify your profits and hold steady your profits even during times of like COVID and any other you know, recessions, depressions, etc, etc. If you have strong information security, but more often than not, we come across as you ever watched that old, I think it's a Trolls I think it's made by Disney's trolls with trying to think of who's in it, but it's a troll movie came out last five, maybe 10 years. And they're always there's this one troll always screaming the bargains are coming, the bargains are coming. I honestly think that that's the way non-information security people see us that are working in information or cybersecurity, they just see us as Oh, you're going to get ransomware to tech, you're going to hail kind of a thing. And that's what they're seeing. So we're Bible thumping them with, you know, with the cmmc, or the NIST guide, or the HIPAA guide, or ISO compliance guide, whatever it is, and we're thumping them on the head telling them the burdens are coming, the burdens are coming. We fail because that's how we come across. And the ones that win are vendors who, you know, roll up in their Porsche and their Rolex. And hey, I've got this beautiful firewall, it's chrome plated, it's got nice little blinky lights, great cooling fan, it'll never fail you. And they'll buy them up for $200,000, a pop left and right over and over and over again. Meanwhile, there's nothing in that box. That's anything new over the past 10 years. Right? Firewall only does really three things, it opens, filters, and closes a port based on the rules that you put into it. Whether you access it from a front end, or the back end, you have special monitoring and blinky lights or anything else in the end. A firewall just those does those three things.

Debbie Reynolds 13:01

That's true, very true. Talk a little bit about the cloud. So the cloud has come along like gangbusters. Definitely a need for that, especially during the pandemic, where a lot of people had to really pivot from being on prem to try and figure out how to do things more remotely with different tools. But I think, you know, in a way, and I want your thoughts about this, in a way, people took some of their bad information security behaviors and moved it into the cloud, which made it more risky. So tell me a little bit about that story.

Sandor Slijderink 13:49

Well, the cloud and I've been, I'm not a huge supporter of putting things in the cloud always. I've softened my blow over the last few years. But, you know, the cloud is a great place to test, develop, and even affordably expand on the fly for a sudden growth that you weren't expecting or planning on, on, you know, planning on, so I think it's great for that. But we really should not be focusing on all of our data and putting everything in clouds. Because, in the end, you look at the cloud as someone else's computer. You really want to put that mindset, whether you're the DoD or your mom and pop Joe's pizza shop, do I really want to store all the data, the secret recipe to our pizza dough, or the nuclear codes on a cloud on someone else's computer? Okay, and truly understand that aspect of it. Is there a way to secure the cloud there is. Oh, but realize that the more security you put on the cloud, the more it is going to cost. Cloud service providers provide a server, a hard drive space, and connections for you to store your data. So in essence, most of the time, unless you're like Rackspace, or Nulab, you, you know, the cloud service provider owns the server, they own the power that's going being fed in there, they own the RJ 45 connectors that are going in and out, they own the firewall, the building, the security, the all the stuff, all the switches, and routers and gateways, and fiber and everything else that you've got going on inside of a data center, a cloud-based data center. We put our information on that. Now. While it's not necessarily true, ownership and possession is nine-tenths the law of ownership, right? So we can get charged with possession of the stolen property. But you never hear anyone you rarely hear anyone complaining when they're in possession of the good property, good data. So what are the big box companies have? Do they have all of our data that we freely put on there? Because we pay pennies to the dollar, because, you know, so that we don't have to store it in our own facilities? So they're technically the owner, nine-tenths of the law, owner of the data. And, you know, they've got bigger money than this, especially the small or medium-sized companies. So if a small company says, Well, no, we want our data back. And, you know, Big Box Company says, Well, no, we own nine-tenths of it. So we'll give you 10% of it. And we're going to take the rest, we're going to close up shop, and we're going to open up in the Cayman Islands. Yeah, right. And that small business would be, you know, Sol, so to speak, from go trying to go after it, because they don't have the resources and connections and understanding because they've been focused on the printing press for the last 10 years, trying to grow that and maintenance and hiring and firing, and, you know, customers and all that. So their focus has been lost, so to speak.

Debbie Reynolds 17:25

That's true. Let's talk a little bit about privacy and how that interacts with the cybersecurity domain. I think, especially, you know, privacy has been around. But I think, when the GDPR went into full effect, and 2018, it became a C-suite issue, mostly because people were afraid of the fines that the companies could get, especially if you're handling data of someone in the EU. And we've seen it. A lot of my friends in Europe they're very frustrated with GDPR. Because they feel like, they want these regulators to do more enforcement and do more fines and stuff like that. But it's been very influential. Around the world, we're seeing a lot of our laws, even at the State level, borrow liberally from GDPR. But I want to talk about how does privacy play in a symbiotic way in your space, in cyber?

Sandor Slijderink 18:41

So, and I want to touch base; I can't remember her name for the life of me. But I recently watched a video the last I think it was last week sometime. It was a former head of Data Privacy for the Bank of America. And she came. She presented this analogy that I thought was phenomenal. Think of Data Privacy as going into your home and closing all the blinds. And now, if you're on the outside, you can't see it. Okay, it is private. However, you don't have security systems out there. So you don't have security. So anyone can break in and take a look at the privacy and take the data that's inside there away anyway. Now on the flip side, let's say you put bars on the windows, security cameras, alarm systems, etc, etc. You've now got a security system, but you haven't closed the blinds. So anyone driving by they can't get to it, but they can see in there, and they can see all the data that you have plaintext no problem, and they can recreate and duplicate that data. So you have to really, you know when you're looking at Data Privacy and data security, you really have to pair them together and make sure that your blinds and your curtains are closed as well as you know that you've got security camera systems and alarm systems and bars on the windows to prevent people from unauthorized access, not just unauthorized visibility. So, you know, if you go into any programming language, and there's, you know, read, write and execute, or the, you know, the three main functions that you apply to any piece of data, and you got to make sure that you block that read, write and execute, at the same time by utilizing Data Privacy functions, as well as data security functions.

Debbie Reynolds 20:28

Very good, very good. So tell me what is happening in the world today, that concerns you the most, either in cyber or privacy.

Sandor Slijderink 20:39

What concerns me the most? So many it's hard to choose just one. But for the most part that people are looking, It seems that organizations and people are either ignoring the fact that information security needs to be something that's applied to not just their organization but also to their own personal life. The other element is that, especially with the larger companies, they're trying to find ways to circumvent, having to be compliant and having to do things. So you have companies out there that have been heavily fined by let's say, GDPR. Well, instead of making themselves GDPR compliant, they find ways that the GDP so that the GDPR no longer applies. But we're not going to do that, or we're going to sandbox that part of our company over there. So that they handle that. And we handle this, in some ways, they, you know, they've resolved it. But more or less, it's more about trying to find ways to avoid prosecution and persecution from compliance measures rather than to find ways to actually be compliant and actually enable that. And in some instances, they spend more money trying to circumvent the compliance and protecting themselves against coming after versus becoming compliant and becoming an example in their specific industry. You know, if you had a hospital that was unsafe, was completely unsusceptible to ransomware and all kinds of things, and had regular pen testing done to this hospital, that hospital would probably wind up on the news eventually saying, you know, this is a pillar this, this, this hospital, you know, it's a, it's an, almost an impenetrable fortress, that then makes that that particular entity become a shining example of what you want to do and how you want to do it. But instead, we choose as businesses and as non-information security people, practitioners, we choose to ignore, avoid and circumvent as much as possible because it's seen as a burden, a cost, you know, yeah, a burden on our wallets. I think it concerns me, we know things are gonna get bigger and faster. And I created a post a few weeks ago, if ransomware were to have a magic bullet tomorrow, it's not going to make those ransomware groups go away; they're going to find another vulnerability to exploit another way to attack it. Because if you've been robbing banks for five years and making millions of dollars a year off of robbing banks successfully, and suddenly that comes to an end, you're gonna find a new way to rob banks or a different bank to start robbing. So you're gonna find you get different tools, a different vehicle, a different whatever's, it's not going to end today. Even if we stop all of that today, they're just going to find a new way to attack us and pummel us. And we're not getting attacked and exploited by something that's new ransomware that first came out in 1989 via floppy. They're still doing it today. And we haven't learned. Oh, well, if we encrypt properly and backup properly, and test our encryption and backup properly, we will not lose and a half to pay any sort of ransom. We wouldn't need cybersecurity insurance to pay for ransomware. We took the encryption key and we didn't put it on the server that's encrypted.

Debbie Reynolds 24:32

Right, exactly. Oh my goodness. So I want your thoughts on what I call data hoarding. The corporate edition. So definitely, Data Privacy regulation has a big influence here. Because in the past, there was no legal reason for companies to delete data, right, so they could just keep data forever, you know, there are some statutory, there are still some statutory things to say like you have to keep tax records for a certain amount of time or whatever. But the thing that Data Privacy regulation is bringing in is the idea that you need to tie or data collection or data retention to a purpose. And once that purpose has expired, you're supposed to get rid of it or anonymize it or something like that. And we're seeing companies do a really bad job at this because I think they never had to think about this. So they never they've never had to have the type of transparency that's being required now. And they never had to get rid of or delete data. So their idea was like, let's just keep as much data as possible. But we know that increases their risk. So tell me a little bit about that story and how you work with companies around their their data risk of hoarding all this information.

Sandor Slijderink 26:07

I'm trying to see if I have an example of that. But I have a box, a few boxes of old stuff that I've had, since the 80s, you know, an old hard drive that's like massive, weighs about 20 pounds, I've got old floppies, I've got old stuff that in the back of my head when I go to try to throw it away. It's like one, it's memorabilia. But to have, I might need this again, I might want to use this again. That's a lot of stuff. And you know what, my wife can't throw it away or sell it at the garage sale because I might need this, I might want this. Yeah, it's 2030 years out a date or, you know, maybe 510 years out of date. But, you know, my mind says, we'll keep it so we save money. So I can just I'll install Linux on their tiny core Linux or something like that, or DSL Linux. And you know, use it for my kids. Never get around to doing it, because I've got a whole bunch of stuff. But meanwhile, I have a box of RAM sticks; that one doesn't work for anything anymore. Because they're not the right size and they wouldn't add up much, even if I put them all in one on one board wouldn't make as much RAM as what's on my smartphone. So I think a lot of that has to do with we want to keep it just in case we can use it again; maybe there's a way we can reach back out to these people and remarket what we have or, you know, sell that data somewhere to Cambridge analytic or something similar to that, you know, we can base sales volumes off of that kind of like an old Almanack. So I think there's a lot of reasons that those data controllers, or data, well, data controllers and data processors maintain that data is, we might need to use it for something else. We can use this later on. Here's a project that we're going to put together in the next couple of years. And I think that's the mindset that we live in kind of a hoarding mindset, like, oh, no, I don't want to get rid of you know, our bread until it's all gone, or till we see visibly mold on there. You know, especially if you live in a lower income. It's like, oh, there's a little bit of mold. I'll just tear that piece off and put some of your peanut butter on the rest of it, right? As you get older, you kind of look at and go oh, there's one spot on the entire loaf, when you throw the whole loaf away.

Debbie Reynolds 28:42

Yeah, all right. All right. What are your thoughts about AI? Especially like this generative AI ChatGPT has kind of taken the world by storm. Obviously, there's cybersecurity issues, and there's privacy issues, but I don't know the best way to say this. So there's, there's a feeling here about what's happening. I feel like it's almost like when the commercial Internet was created, right, where people didn't quite didn't know what to do. They didn't know what to think, you know, people were trying to find ways to really leverage and utilize it. So tell me your thoughts about what's happening right now with kind of generative AI, and your concerns on either the cybersecurity or privacy front.

29:36

I think it's wrong for us to be afraid of it. It's inevitable. ChatGPT for by the time this airs will have been out. And I've been reading some posts on what it can do, supposedly purportedly, it's getting released I think, today or tomorrow. But it's inevitable. And probably by the time, you know, middle of the summer of 2023, it's going to be, you know, ChatGT 4 is getting released, probably by the end is ChatGPT 5. All right, we're getting closer and closer to quantum computing, to where it's affordable and accessible to at least the upper 50% of the population. We know that once that becomes adopted, the next milestone is going to be double that. So we're going to have quantum x two, you know, processing power, look at the processors, you know, going back to the 80s, and 90s, you know, we went from the Pentium to the Pentium to the Pentium four, and we went from single core to Quad Core, dual-core, you know, dual eight, you know, dual quad-core, we just kept expanding and making things faster and faster, smaller and smaller. And it's getting more and more affordable. If we are afraid of it and we try to push it out of our minds, it's not going to go away. And we need to poke and prod at it and understand what is it doing and what's really going on in the background. Because to me AI, even today, is still, you know, AI and ML are still more mathematical equations and solutions. ChatGPT has changed a little bit of that. It's kind of a, it's kind of put AI ml on, you know, DuckDuckGo search engine, you know, or Yahoo search, bar, whatever. So it's, it's giving you information that's already been presented and put out; I've tried ChatGPT and look to see what the results come out of; it's about 9990 to 99% accurate, but it's pulling the information that's already been pulled out, it's not creating that information is just referencing that information. And even when you go to the website for ChatGPT, the CEO, the CTO for that company is phenomenal. She's an absolute, she's a genius. So if you ever get a chance to bring her on, probably should. But it's referencing something. So it's already been created when you log onto the website you're looking at. And it gives you a little disclaimer, hey, this stuff’s, you know, the material you're being presented is two to three years old. Just so you know, it's nothing new; it's not something that came out yesterday, if you're looking for something more relevant, you'll have to do your research somewhere else, something similar to that kind of a disclaimer. So in that model, you know, just with that disclaimer, it's a reference model. It's just taken all the information and made it accessible, either directly or via APIs or some other means of connecting to those databases that those search providers have, you know, builds up themselves. So we need to not be afraid of it; we need to understand it, explore it and know what it does so that we can work with it. Instead of combating against people to using it. It's a tool like anything else.

Debbie Reynolds 33:23

It is a tool. I mean, to me, it's almost like sometimes people kind of rage against some of these innovations. Because they see the downside, and we shouldn't look at it right; we should look at the upside and the downside of not putting our blinders on. But that's almost like saying, you know, people hit people with bricks, let's not use bricks, right? It's like, well, we use bricks to build houses and do other things. Right. And I, I a lot of these arguments, I feel like we were making these arguments about the internet. You know, I remember when the commercial Internet came aboard, so companies didn't want to use it. Right? And we know that you just can't have a company at all most of the time now without using the Internet in some way, shape or form. So I think it kind of definitely evolves there. But one thing I want to want your thoughts about, and I feel like we tell people this all the time. It reminds me a little bit about how we try to tell people about phishing. You know, phishing is has been, over the years a very effective way for cybercriminals to really be able to infiltrate people systems, but people sort of fall for this these tricks constantly. But the parallel I have there is, you know like a lot of people are saying things like generative AI, companies are trying to stop people from using it because they don't want them to put confidential information sent into it or sensitive information. But I feel like we've been telling people to do this forever, right? Let's like, you know, tell them about the Internet, we would tell them this about Google Translate or you know, anything, smart speakers, don't put confidential information in and around it or whatever. So, tell me a little bit about that.

Sandor Slijderink 35:24

You know, it's not just AI-based, you know, an ML-based chat, like ChatGPT; Microsoft recently released one that try and competes with it on their buying side. So things kind of making a comeback, I think, but maybe it should follow along the same policy, especially the large corporations, organizations should have a policy that says, hey, don't put any intellectual property, any confidential unclassified information, federal contract information, any development items in any search place, whether it's ChatGPT, or duck duck go or, you know, if you're still using Google, I guess, Google. But because they're watching, they're paying attention. And when someone comes up and goes, ooh, carbon core for aerospace, and someone starts putting the dots and looking at different things. Well, the search engine you view, regardless of which one now has the data of where you what breadcrumb Did you just fall, did you just follow? You know, so regardless of whether it's ChatGPT, duck, duck go or anything else, any kind of chat function, anywhere, even on LinkedIn, you start talking about these and starting putting that in there, then those breadcrumbs are going to start, someone else is going to come up with that idea, they're going to realize, oh, that's what they're researching. That makes sense. Hey, Tim, can you do this, you know, and then Tim goes, Yeah, we can make this happen. And then John, and believe it oh, Bob, and Jane, and anybody else comes together, and they start putting the whole thing together, they've got more money, you know, especially these big box cloud companies. You know, they see all that data, that nine-tenths possession kind of a thing, whether it's illegal or not, illegal legal term or not. Officially, they have that information, and they can use that information that you've just put on their servers. So ChatGPT is just another AI chat of any sort, is just another level of that. It's nothing new, it's mostly a search engine, and it's gonna give you the results that you want to see. So it's perfect for salesmen, you know, for salespeople, but we want to not avoid it, we don't want to stop it, we want to work with it and use it because as we can use it, the bad guys can use it to, which we can then use against the bad guys as well. We can see where this is coming from and ask those same questions. Hey, where are people finding this information? Oh, it's stored here and there.

Debbie Reynolds 38:26

Yeah, yeah, I definitely think you shouldn't like fold your arms and like say, you're not going to use it; you need to know what it is. You know, I tell people, you see it in the news, and they're reporting about it, because people are going so crazy about AI, all these tools that are coming out now. They're trying to incorporate some bit of AI into their tools because they think this is the hot thing, let's kind of just roll with it. So you know, even people who try to avoid it may be incorporated in tools that you use every day, and you need to learn how to use these tools and know how to leverage them for what you're doing, or you're going to be like, you know, digitally illiterate if you don't understand, right?

Sandor Slijderink 39:18

I love cars that are basic. Okay, manual crank, windows, manual locks, manual transmission, everything is manual. And it’s, you know, generally, I've got to go to an older vehicle to get that nothing technology wise it they're not because I'm afraid of technology in a vehicle, but because I realized that, you know, what, if my car gets zapped with lightning, okay, driving down the freeway. If I'm in a non-technologically advanced vehicle, chances are my speedometer is still going to work because it's a steel cable attached. Okay, the rest of the car still gonna work. I'm still going to be able to unlock the doors and crank down the windows, and you know me Have everything because everything is mechanically based. There are fewer places to break. Now I man, I, you know, you get a smart car, which really is just someone mounted a, you know, a tablet onto the dashboard. You know, it's got built in GPS and you know, you've got an OBD two sensor that it connects to. So it can see those sensors of anything, you're pushing out through the OBD, two sensors. If you're into cars, you'll understand what that means. But that's why I love going to some of the older things because they're going to be fewer to break. And the same thing goes with bolting on and adding on things just because they're gimmicky and everybody wants to see an IML Well, in this day and age, everybody pretty knows pretty much knows that. If you've got a military-grade that means it's just, you know, the lowest bidder won that contract for military-grade, you know, military-grade security. Thank you. SolarWinds.

Debbie Reynolds 41:01

Very cool, very cool. What would be your wish for either cybersecurity or Data Privacy anywhere in the world, whether that be law, regulation, technology, or, you know, human behavior? What are your thoughts?

Sandor Slijderink 41:26

I'm pretty strong on this one. It should be with education and awareness, security, education, security awareness. We have kids; I've got children ranging from six to up to 25. And I can tell you that with virtual classrooms, going to work, watching TV, while it's not even watching TV, now, it's just streaming services, we don't even have cable anymore, because you know, all the streaming services you can think of. But we're not embedding and growing information security in our education. It should be taught before he even gets into first grade; you should start to understand, hey, there's a review. With my kids, I started before they even got into first grade; they have a pin, they have a code on their on their tablets for them to access it. And then we have a master password that we can use to access it so that we can control and guide what they're doing. Because they're going to go to it anyway, they're going to find a way to get into it. So I might as well give them access and provide them with enough ability to do to release that stress and that curiosity about what they want to do. Usually it's you know, watching silly videos or something like that, or playing things like Roblox or Minecraft, or My Little Pony Princess rides around or something. So I can control that and monitor that behavior. But I don't I see it coming from the schools directly, where I got a mass email from one of the principals. No BCC; I now had everybody's email address from all the parents that went to that school that were in first through sixth grade. Every single one of them, I'm like, okay, I can copy and paste and use this; you have kids that go to V prep, I could craft a really nice, you know, phishing email based on just that and probably be 90% effective. It needs to be within education, we need to put information security in education because it does not exist. I know there's some people that are older data, Data, Privacy rights, digital privacy rights and etc, etc. But schools have information that should be HIPAA compliant, they collect payment card instrumentation, so they should be PCI compliant. At the very least, they need to have those two items, you know, so there's some security that needs to go in there. But I think I truly believe there's one aspect that we need to focus on, it's pushing information security practices and understanding within the education system and starting him at kindergarten first and second grade. I mean, it's gotta be imperative. And not just once a month, it's not, you know, don't treat it like sex ed, where you just get it once, you know, once in sixth grade, and then we're done with it, you know, kind of a thing. We want to put it in so that they have it as part of a regular ongoing curriculum. You know, make it a course that you understand information technology, and the security, how to use your devices. You know, teaching them about meta tags, GPS locations based inside your pictures, and why you shouldn't do this or that social media. I mean, there's so many avenues within an information security education platform that you can build in, and you can build it all way from kindergarten on up to, you know, masters, cybersecurity students like, you know, David over at UT Austin, or George Bailey at cyber tech over and Purdue.

Debbie Reynolds 45:11

Yeah, right. I follow that you're teaching at the University of Texas, Austin; I think I'm going to do a guest spot with them as well. But what you said is absolutely right. And I hadn't thought about it this way. You know, I feel like the fact that we're struggling with cybersecurity issues at all is because it hasn't been taught; it hasn't been folded into everything that we're working on with data. So that makes perfect sense. And I hope to see that definitely from the very beginning, people need to understand that they have data; they need to protect it. And if you get them into those habits, they'll be kind of lifts acceptable to some of the more harmful things that happen.

Sandor Slijderink 45:59

And as our children grow up and then we become older and older, and we wind up going into our nursing homes or convalescent homes or whatever the case we or our parents are going into that our kids can then help and manage that information security practice also and push that into our, our parents or even into us as we're retiring and you know, not to leave this earth. That is where true information security is going to make a difference is that we need to have a foundation of information security and everything that we do. It's not something Oh, don't talk about files in the elevator. And then someone goes, well, they said don't talk about files in the elevator, but they didn't say anything about an escalator. So I'm gonna talk about the files on an escalator. Just because it wasn't mentioned, and that's the way we see it today, is okay; we look for the loopholes. What can we do? You know, versus how can we make this stronger? You know, oh, we're HIPAA compliant. Okay, great. So you have 256-bit encryption on your data? You know, can we increase that at all, you know, 2048, possibly, kind of a thing? And it's free. But it's gotta be, we've got to start building that foundation of information security within all of us, as children, so that it becomes just as, as every day is how you use a fork and how you write in cursive or how you turn on your phone or brew coffee. You know, it's gotta be second nature that, wait a minute, that's not right. You know, don't talk to strangers, we tell them, tell our kids not to talk to strangers. And our kids eventually grew up and talk to strangers most of the time. So, you know, we've done great at bat. But we're not applying it to information security, which is the realm that we live in today. Everything we know more about people on the other side of this planet than we do right next door to us. Half the time.

Debbie Reynolds 47:59

That's true. Very true. Wow. This is amazing. Thank you so much. It's been a pleasure to have you on the show. It was an honor to be able to have you in part of this information. That's so smart. Oh, my goodness. Well, thank you so much for being on the show. I'm sure we'll chat more, as always, on the Internet about other things. Thank you so much. This is great.

48:26

You're very welcome. And it was my honor to be here. Thank you so much for having me.

Debbie Reynolds 48:32

Yeah, all right. Talk to you soon.

Podcast

Debbie Reynolds

The Data Diva

https://www.debbiereynoldsconsulting.com/

E138 - Sandor Slijderink. Expert CISO, All Things Information Systems

E139 -Antonio Rocha, Data Leader and Privacy Advocate, Europe

E137 - Louis Rosenberg, CEO, Unanimous AI

About Contact Access Our LinkTree