E39 - Arti Arora Raman Founder and CEO at Titaniam, Inc. Data Protection Company
44:54
SUMMARY KEYWORDS
data, companies, people, breached, privacy, protect, business, ransomware, attackers, thought, systems, pay, encryption, organization, person, security, stage, world, delete, encrypted
SPEAKERS
Debbie Reynolds, Arti Raman
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own, and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds. They call me "The Data Diva". This is "The Data Diva Talks" Privacy podcast where we discuss privacy issues with industry leaders around the world, and information that businesses need to know now. I'm really giddy and excited to have a dear friend and colleague and collaborator with me on the show today, Arti Raman, who is the CEO of Titaniam. Hello, Arti.
Arti Raman 00:42
Hey, Debbie. Thank you for having me. So excited to be here. I've been watching your show for a while. And I'm thrilled to be able to, to have this dialogue with you here and share some of my thoughts. Yeah.
Debbie Reynolds 00:55
This is exciting. So actually, we met on LinkedIn. So you had contacted me on LinkedIn. And you're like, oh, let's have a chat. And so, you know, you really just stood out to me Even then, just with your little short message. I was like, yeah, let's get on the phone and talk and whatever. And we hit it off immediately. You know, we liked each other a lot, we had a lot of similar thoughts about kind of data and privacy and what the challenges were. And I was really fascinated about about your company, and you know, just your tech journey in general. You know everybody, and everyone knows you, right? And then just the way that you built your product, I thought was really fascinating. It doesn't hurt that you and I have a friend in common, who's Chris Roberts, who raves about you like crazy. So I was happy to be able to, to meet you and be able to collaborate with you. So let's start with your you know, I think I'm interested about your tech journey. And then talk to me a little bit about Titaniam and why it was important to create that company.
Arti Raman 02:05
Absolutely. Thank you. Thank you for asking. And and by the way, before I jump into that, likewise, Chris, and everybody else I ran into continue to recommend that I reached out and I thought, wow, Debbie must be so amazing. And you've turned out to be every bit as wonderful as they mentioned. So it's definitely a two way feeling here. So yeah, my a little bit about my background, which will create some context for this conversation. I have a mathematics background. So algorithms is something that I I find fascinating, and I tried to apply that type of thinking to important business problems, I think, anywhere that you can bring some innovation and some true technology at the heart of solving difficult problems, I think you can create some value for businesses out there. And Titaniam is in that category, specifically, the journey of the technology, it actually all started when. So I'm from India, if you can't tell. So 2019, middle of 2019, there was a large data breach in India, where pretty much everybody in the country had their biometrics compromised from a large database, you know, centrally controlled by the government. And, you know, I looked at that, and then right after that there was a spate of them, I think, bolgheri a number of other you know, super large, visible breaches, where people just lost a ton of sensitive data. And I looked at that and said, Wow, there must be a better way for us to be able to utilize data that is so critical people's identities, etc, while still keeping it safe. And so I started looking into encryption and how various encryption techniques are utilized and how they're able to facilitate data protection. And I also realize that it all comes to a grinding halt when the data needs to be used. So we have encryption at rest figured out for like the last 44 years or so with DDS and then a yes. And then for about 20, 25 years, we've had, you know, encryption and transit figured out where we're sending data from one place to another and using SSL now TLS for that purpose, but every time the data actually needs to be used, we bring it back into your text. And now we just have this data that we completely lose control over. And attackers are pretty smart, right? Ours is a domain where the adversary is extremely well resourced, well educated, highly motivated. And so of course, you know, they are coming in through the front door, they're coming in using legitimate credentials that causes all of the encryption and other protection to fall away. So look at all of that, and I thought hmm, there must be a way for us to implement and facilitate the usage of data without having an in clear text. And that's how titanium was born, we looked to apply new algorithms and some, you know, combination of new, new and old to be able to keep data protection on what it is used. And that, you know, then started to speak, obviously, to the data breach scenario that I mentioned. But it also spoke to Data Privacy. Today, it speaks to ransomware related extortion. So the applicability is pretty wide. But that was sort of like the heart of it, the genesis of the story.
Debbie Reynolds 05:39
Wow, that's really great. That's really great. Yeah, I love the way that you're thinking about this problem. And that's one thing, and I was really excited about when we started talking, I'm like, Oh, that's totally brilliant, you know, because I think also, one other thing about, you know, controls and people protecting data, if you make it hard for them to do their jobs, they're not going to do it. Right. So if you're protecting the data, while they can still work, and it's not becoming like a barrier to them, I think that always helps, you know, you know, the the parallel, I gave this, like passwords, you know, I think, you know, a lot of companies, they create these really, you know, difficult passwords for people. And a lot of people, what they do is they post it on a post it note on their computer, which is like, like the worst thing you could possibly do. So, I think we need to find better ways to solve problems that make it easier for the person to comply, and be able to, you know, do their work, right?
Arti Raman 06:44
No, absolutely. In fact, if you take a look at, where we're having the most privacy issues, or data compromises or leaks, breaches, you know, whichever factor you want to look at, you'll find that it isn't in the individual users access, right? It is actually in some sort of a bulk, like an administrative password, like attackers will come and look for escalating privileges, they might come in from the individual, but they're trying to go over to a place where they can access just millions, you know, tons of data at once. And so there isn't really a need to get in the way of the user doing their job, what we need to do is find a way for the mass access of data to not be possible. And one of the ways that and there are several ways to do that, right, you can monitor data exfiltration, you can look for anomalous activity. But what my company does is it keeps that encryption on all the way until that end user needs to do their specific job, which is usually a tiny little sliver of the problem, right of the data access. So that's sort of how we look at it. But we also don't ever persist that data, we don't go back and say, so we're trying to block those sorts of paths while keeping their lives easy and transparent to the protection. Yeah.
Debbie Reynolds 08:18
I think one interesting thing that I see that happens in companies in this kind of a culture, the culture of a hierarchy of companies, right, where they, you know, when they were talking about security or security training, they're really pushing it on kind of the lower level folks in the company. and higher level people, they think, as a park, that they don't want to follow those same rules of everybody else, but they're the ones with the access, right? So if a hacker gets like a low level persons, or I can't say hacker, because Chris gonna be mad at a cyber, cyber criminal, a cyber cyber criminal, I get access to a lower level person's credentials, there is very little that they can do, because that lower level person doesn't have a lot ton of access. So they're looking for those executives that have more access than they should have. They're looking for those, those easy admin 123 passwords they can get in because that is where they can do the most damage. And that's kind of the the high value stuff. So you know, again, I think that brings it back to what you're doing, where you're actually protecting the data and not just the perimeter of the organization, right?
Arti Raman 09:39
Yeah, absolutely. So the theory for us is, let's try to take the idea of zero trust, and let's apply it to data itself. Right. So true, zero trust would mean that you don't give access to anybody as far as possible, right? Don't trust anybody. And when you do need to trust make that as minimum privilege as possible, right. And so in that world, the high access individuals would be those use cases would be taken as far as possible without disclosing, you know, the crown jewels, because they perhaps are not needed. I'll give you an interesting example. So usually, in the world of security, we have a lot of analytics that happens and analytics on security happens on pretty high value data, right? Like our security operation centers, other places are analyzing behaviors, looking at what people are doing in the organization, lots of privacy, red flags usually go up. But there's so much data that gets analyzed in these places, that it isn't the humans sitting in front of their computers, you know, looking through every bit, they are automating a lot of this this work. And yet, it has to happen without encryption or without any privacy controls, because that data needs to actually be utilized, sliced and diced and analyzed and figured out you know, who's doing what, what is anomalous behavior, it's an it's a great example of where we can apply privacy controls, security controls protection, because none of that, you know, there isn't a person in front of a computer doing that yet that data is flowing through in a vulnerable way, where it can be tapped in and exfiltrated. So many examples in an enterprise where you don't need to actually put that vulnerable data out where it can be lost. And those are the easy ones, right? The big buckets of data that we can just protect, protect right away. Does that does that kind of resonate with with what you were saying?
Debbie Reynolds 11:49
Oh, absolutely. Absolutely. So let's, let's talk about the elephant in the room here, right, which is kind of ransomware right now. So ransomware has been around for a while, right? It's not a new story. I think it's getting more traction in the press, because we now we see these really huge companies paying ransom and having these vulnerabilities that they're trying to deal with in their business. I guess the thing, you know, I'm glad to see that more news is covering these things and like, and they kind of say, Oh, well, it's kind of out of hand, and maybe it is my opinion, I think we're hearing more about it, because these are more larger companies are being breached. So when smaller companies are being breached, or gone out of business, you know, it wasn't as big a story, but to see, you know, having, kind of, you know, like gas pipeline stop and people run out of gas, you know, that gets attention. But your view, you know, where, where are we? Where are we going? Are we getting better? Are we getting worse? Like what what's our what's, what's the state of play right now? Who like ransomware?
Arti Raman 13:07
Yeah, yeah, see, I think what we've been missing is a good framework to understand what is happening. And I've been doing a number of talks recently to just lay it out the way we understand it. And I think that one of the biggest disconnects at this point, which I think is quickly getting bridged just by by the experiences we're having in the market, the biggest disconnect is that ransomware has actually evolved from a two stage attack to a three stage attack. And many of us are still living in that two stage world. And by that, I mean, it used to be that ransomware was about locking up resources, and then extorting in order to unlock those resources back. Right. So you would get infiltrated, your key systems will get locked up, you'll get a message that said, hey, you need to give us a key or you can send your systems back up. And companies will either pay or not pay depending on how good they were at recovering their systems from backup. So in 2019, you had Garmin, a number of others pay, you know, large sums of money just to get their systems back up, because they weren't quite prepared are, you know, to deal with that, then, you know, early 2020, late 2019 companies and where security people, right, we're like, we're gonna invest in resilience. You heard a lot in 2019 and early 2020, about cyber resilience. It was all over our newsfeeds as well. And that was all about how do you recover from an attack really fast. So that was in the two stage world and right so through 2020, you know, through late 2020, so many high profile cases of companies that refuse to pay ransom, I think Norsk Hydro was one of them. And in there's like 22 counties in Texas that got together and did not pay. And so you had all this news about, hey, we don't have to pay because we've got our cyber risk. resilience strategy. So that world is now changed, because now the attacks are three stage. And the initial stage involves data exfiltration, right. So before your resources are locked up, your data is exfiltrated, because that is the lever that is forcing companies, even when they have secure backup and recovery and the ability to get back on their feet, it is still forcing the ransom payout. So if we need to sort of understand that the real threat the real leverage that attackers have on companies now, and I don't mean to diminish the impact of not having critical systems stand up. So the two states still holds. But in many cases, the real leverage they have now, especially companies, like JBS was one of them, where it was about the data, right? Because in the data extortion stage, right, which is your third stage. So first stage exfiltrate, encrypt second stage, extort to get your systems back up, third stage extort per data in that data extortion stage. Now, there's like three stages within that. So they'll ask the company, hey, if you don't pay up, you know, we are going to post your data. If that works, or even if it doesn't work, they'll go to the customers directly. So we've now seen cases in the healthcare field where attackers are contacting customers one by one, and threatening identity, identity takeover, etc, if that ransom isn't paid directly by customers. So that's what we're now calling triple extortion. And finally, even when you do all of that, there's no guarantee that your data won't be leaked or sold. So this new three stage world, it's all about the data. And so I think that that shift requires us to invest, not just in prevention and detection, right, which is definitely something that we have to invest, not just in backup and recovery, which is also a requirement, but also in data protection. And that's where I think like the zero trust for data idea that always on data encryption, the data in use protection, you know, making sure that we we are moving that protection into the data becomes really important. So that was, you know, that's sort of my take on it, that we need to move that and account for that third stage. And when we do, we will hopefully find ourselves in a position that more often than not, the data that we're losing has been encrypted. And that definitely softens the blow tremendously. If you can say that, yes, we were breached, we lost our data, we started our systems backup. But you know, the valuable data was all encrypted puts us in a much better place than having, you know, that data be sold or leaked, or customers contacted directly. So that's why I've been harping on the data protection side for a while saying, Hey, this is something that we must do in place, identify your key assets and protect that data.
Debbie Reynolds 18:04
Yeah. Yeah, I love I love the way that you explain that. I know that the thing that I have always been frustrated about is that I feel like a lot of people in the past have thought about kind of Cybersecurity or security as being perimeter protection, like let's protect the outside, so no one gets in where I you know, and then a lot of these breaches that have happened over the years, you see, once they get in, they just have their run of the place as like, oh my God, like, how many systems can they access? It's ridiculous. So for me, I always like say, you know, or I have a friend, David Krueger, he's amazing. He's gonna be on my podcast. He said, you know, assume that the attacker is already inside. Yeah, assume that they're in already. So now what are you going to do? So maybe that type of thinking will change the way people are thinking about how to protect the informations inside because you want them? You want to limit the damage that can be done to the organization? Correct?
Arti Raman 19:12
That is so true. I've been using the word immunity a lot. I mean, we're in the pandemic, right. So maybe that concept is going to resonate. But I think moving from prevention, to resilience to immunity is really important. And the whole idea of immunity is obviously right that you will get exposed but you have to put something inside the organization that that that reduces or perhaps eliminates, if possible, the impact of that exposure. So I do feel that data protection, if I may pitch data in use encryption, because I think that's the key part right encryption at rest has been around but if you keep that data protected, as far as possible, then that makes your organization more noon, then it would be a voice.
Debbie Reynolds 20:02
Yeah. So one thing that comes up a lot, and it, I don't know, it bothers me quite a lot that there's, to me, there's an overemphasis on the reactive side of this, and not enough on the proactive side. You know, it's hard. I work on practices. So when I'm working with companies, I'm like, you know, I'd rather be Smokey the Bear, right? This firefighter had this point. So I'm, like, you know, let's do things in a way that will reduce your risk of having an attack. And I think, part of part of the psychology of this, and why I feel like people aren't doing it on more of a proactive basis as they should be is like, you know, that's something that happens, you know, that happened to someone else, that can't happen to me, you know, what I mean? Or, you know, I have cyber insurance. So if something happens, I don't, you know, I don't need to be mature in my security and my privacy, because, you know, if I get attacked, I have the cyber policy, they're going to pay me back or something like that, or, you know, those types of ideas. So, I feel like, I'm hoping that with it, the way things are happening now, companies are gonna start to get more serious about proactive, you know, what are your thoughts?
Arti Raman 21:26
I couldn't agree with you more, I think that, you know, I'm having these conversations all the time now. And I have two types of people put them into camps, there are the ones that aren't doing anything about it, I'll put them into camps. The first ones are the ones that aren't able to prioritize this. And so that speaks to our general mindset of, you know, firefighting, right? Like, it's the crisis of the day, and until it's a crisis that isn't addressed. And so this type of proactive investment of time, and, you know, even understanding and organizing yourself, is just there are just fires burning ahead of that. And I understand and respected but it's a bit of a shame, right, that you will only take care of it, when it's a crisis, the other side of the house are folks that that genuinely believe that it isn't possible to protect. And so they then rely on, you know, ways to mitigate risks, which is where the insurance comes in, or you know, other things where they just feel like there's too much legacy. And I'm talking specifically, right, in terms of people that I've spoken to, there's just organization is too old, there's too much legacy infrastructure, data is everywhere, I just don't know how to get my arms around this to even be proactive. And, you know, those folks, I think genuinely can use some help with, with organizing or coming up with a framework or some way for them to prioritize their assets and their data and start to solve that problem. But both those sorts of people exist. And I think in both cases, you can kind of see why that might be the case. And yet, it just creates all this exposure. And the thing you mentioned about insurance companies, it's really timely, right? Because we are reading that those models are failing, right, those those risk computations and the ability to offer, it's basically all going out the window. And that whole thing is being rethought. In fact, I'm in some conversations now, where we're trying to come up with what else can can be put in place as a certification or in a certification is a big word, but some sort of assurance that we can say, hey, if companies have these measures in place, then that risk is actually significantly reduced. And that information can be given to an insurer, to then, you know, be able to evaluate how they might write a policy, because that whole thing is a mess now.
Debbie Reynolds 24:05
Yeah, I just read an article last night in the Wall Street Journal about how insurance companies and I knew this was gonna happen. I thought, actually, it's happening less later than I thought it was. So cyber insurance companies are really tightening up on those policies. So they're tossing people to bargain cancellation from policies, they're being asked a lot more detail about their security programs. their premiums are going higher, their cyber insurance will pay out much, much less. And that's just the trend that I knew that was going to happen, especially, you know, as I as we saw some of these huge really big breaches to happen with these really big companies. Yeah, you know, I was surprised to get paid out at all because yeah, that's the reason why they they you know, some of the some of these cyber issues or refis, were based on things basic hygiene, right? patching of server or smart sharing passwords, you know, the basic things no one wants to really hear about. But yeah, you know, organizational matter, man measures not having posted those passwords, you know, people's computers. So I feel like, you know, if we're doing if companies can get serious about doing those basic things and building on it, I think they could be in a better place. But then also, I don't know this, this, you know, I'm a dip in the psychology again, I think there's a narcissism, right? In a way with companies where they think only of themselves, so let's say you have a block, and there are like, five companies on the block and one person gets briefs, they're probably not gonna share their experience with the other four companies, because you know, whether they're embarrass or they're whatever, they're not going to do anything to really help to say, hey, you know, this happened to me, you know, here are things that you know, that we did try to, you know, protect ourselves, you know, do this before this happens to you. And so I think that cybercriminals have an advantage, where is the divide and conquer thing where people everyone's thinking about themselves, so they can go from business to business and like, and these tricks work every single time almost right, from business to business. And I feel like, if we are not trying to find a way to bridge those gaps, and have that communication happen, like, we're not going to be in a better place. What are your thoughts?
Arti Raman 26:40
No, I completely agree with you. There's multiple factors at play here. There's, you know, believe it or not the compliance element right there as well, right you, the more you come out and expose the mistakes, for lack of a better word that the mistakes that were made, they just feel like that puts them in a worse position to defend their stand or the measures that were in place. The other thing I'm hearing is that security leaders don't want to stand out. So nobody wants to get on, you know, with a megaphone and say anything about the topic, because they're afraid they'll stand out and become a target. And so becoming the voice of the defense seems to carry some risks in their mind. So there's, there's that and then finally, right, there's the it can't happen to me, like you said, it happened to them over there, it's likely not going to happen to me. And so not getting beyond their circle of trusted advisors to collaborate with somebody else, I think is a huge issue. But I've also seen recently some calls for collaboration, debates. So I'm thinking that this is going to change because I think people are realizing that there has to be government and industry collaboration, there has to be, you know, business to business, collaboration, and even just practitioner to practitioner with people sharing their the tools and technology. So I'm thinking this is going to change. At some point people realize, right, they're sort of all in it together, what's my hope, I'm starting to see some signs, signs of that
Debbie Reynolds 28:22
Hope so. I want to see more private, public private collaboration on that, you know, even if it is, you know, maybe in forums where people don't have to identify themselves, like there has to be more information sharing, and it needs to filter down to any type of business. I think so not just the big boys. You know, the small, medium sized business, I've been like, obliterated by cyber, cyber attacks and ransomware. A lot of those companies going out of business, right. So you know, they can't even tell their story, because they don't have a story to tell right now. So let's talk about privacy. So privacy, I think is a unique challenge. So one, one hand, when you're handling data, individuals who want to protect their rights, and part of their rights is to transparency, right. But then you also have to protect the data. So I think in the past, data protection has been about not being transparent. I love locking something in a box and not look at it, where you were saying, you know, this is data that you need. This is data that you ask for from a customer, you're a data steward, you have to be transparent with them, but you also have to protect it and be able to use it like what are your thoughts about that?
Arti Raman 29:45
Yeah, no, I think that's this might be basically the most significant technology need in the coming decade. I think because we have created ourselves a society that is So fundamentally dependent on data, that our inability to properly handle it and process it and protect it is not going to end well. Right, we're just creating all of these issues with that need for data. And so I think that it's so important, like you said, to be able to, to make that data, I'll say smarter, but to to move some of those controls into the data itself, so that we are able to let that data flow and be used while protecting it. And that speaks to, you know, some techniques that have been around for a while, such as, you know, data masking, or anonymization, or, you know, even synthetic data, you know, ways to represent data, or data sets, and still make them available without compromising privacy, I think all of those things become really important, because those are foundational, I don't believe that the constructs we have on top of that data are going away anytime soon, like we don't see AI disappearing, you know, we just don't see any data driven applications and functions going away. So I think our only choice is to come back and learn how to control and manage and protect that data and the individuals themselves. So at a high level, those are my thoughts, I think in terms of specific technologies, my company does play a role there as well. And, you know, to the extent that we can instrument, the data itself, so that it can be forgotten, so that it can be retrieved so that we can even we can collect and understand all of the data and control data that belongs to specific individuals and things like that. But I definitely think that is, that's incredibly important. We don't get that right. I think we're all in trouble.
Debbie Reynolds 31:54
Yeah. I also think that the nuance with privacy that I think companies struggle with a bit, which takes a lot more care and feeding and management is that a lot of the data privacy regulations say that you should delete or dispose of data or return it to the person after its business use has ceased, right? So it's not as easy. It's not like a statutory requirement, where you say, you know, keep this data for 10 years where someone can, like, you know, automate that it's okay to 10 years from now, delete, delete, delete, you know, this is like, okay, you're done with this data set. And then, you know, what I've seen over the past, because people because companies didn't have any force behind them actually deleted, that they just kept it forever. You know, and this is creating a lot of risks, cyber risk for companies, because of that data gets breached. Now, you have to go through and find out, you know, who are the individuals that were impacted? Or how many people and stuff like that? So, um, you know, I've always been an advocate of people getting rid of things after it's used that I've been, you know, very much so, because it's like, you know, why keep it like, there's really no reason, a lot of times people didn't have a reason. So at least I think privacy regulation is creating a reason for companies to really look at their data and the data of individuals and how they're using it and why they're using it, so that they can actually do that. But then that creates, there has to be more granularity, right? And how they think about their data. So what is the what, you know, what is the end of a business process for you? And then what triggers what triggers that? And then what happens after you figure out, okay, we're done with this data, like, how do you dispose of it? and things like that? What are your thoughts?
Arti Raman 33:55
You know, I think that, in many cases, the payment card people had stuff figured out before the rest of us. So if you remember, and I know it sounds like a non sequitur, but I'll join the dots here in a second. But if you remember how, you know, we tokenized credit card numbers Well, before we learned and thought to tokenize other data. And so we've been transacting making our transactions work with with some sort of a standing instead of the actual credit card number.
Debbie Reynolds 34:42
So I think I was talking about companies trying to figure out when data should be deleted at the end of a business process as opposed to you know, 10 year no, delete this after 10 years or five years or something. Yeah.
Arti Raman 35:00
So, where I was going with that was that in that side of the house, this idea of, of revoking permission has existed for a while, right? So companies, for example, have your credit card on file, right? And you can go in and you can change your settings. And you can say, okay, you know, delete this card. So I can do that at Amazon, I can do that anywhere. And I've been able to do it for a while where I can say, yes, you can keep my card, you can, you know, I'll run my transactions on it or no, now you can't keep my card. In the same way, I think the owners of your of the data should have this idea of controlling a key. And so businesses, enterprises are now doing this thing called BYOD. Okay, bring your own key. And when enterprises share datasets with third parties, they can enforce this BYOD a mechanism where the enterprise controls the key and the third party that accesses the data set has access to that key, but that key can be revoked. So you know, in my opinion, a granular version of that, and some sort of a way for the true, you know, the owner of the data, the person that truly cares about it, that once that revoked can actually exercise some sort of control. So in our world, we are starting to see the why okay, requests coming now at a granular level to be able to control, you know, those keys at a row level almost, you know, record by record, so that the mechanism by which you delete that data actually is in the key itself, because it's very difficult to chase that data around databases and all across the enterprise. If you had one control point, such as a key that you could delete, then that I in my opinion, that is sort of going to be the future, and you'll see many cases about data ownership, etc, when people are talking about a similar idea.
Debbie Reynolds 36:52
You know, I hadn't not heard that, BYU. Okay, that's brilliant. I like that idea. Now, but but I do like the term. Yeah. Yeah, I think it's gonna be a lot going on with keys and who has it? Who has the key to what, what data and I've talked to other guests about stuff like that. So I'm excited to see what happens in the future with technology. But you know, that that's one thing that really irritates me. Companies, it's like, you really, you know, you can't. First of all,some data is so old the knowledge has gone away in the organization, you know, yeah, so no one really knows, you know, it was in that back room, or what's in that cloud instance, or whatever. And people are afraid to delete it, because they don't know what's in it. And so that's a problem. You know, that that's one of those backdoor problems no one wants to really talk about, but it's something that I think, should get more attempted, especially because of you know, a lot of these data breaches, you know, they look at that stuff, the stuff that you don't want to look at someone that will be very interested to look at it,
Arti Raman 37:57
You know, an interesting point there. And it's a little bit unrelated to privacy, but still relevant, which is storage cost. So you won't believe how many times I have in the recent two months run into this, because I've been digging and trying to understand, right, like, what are your key assets? What is your data, and there's this issue of like, skyrocketing storage costs from companies hospitals, like you know, places that are just have all this data, were simply like duplicating or deleting, it impacts you in significant ways. Like, you can just justify that by simply saving on the storage costs, not to mention reducing your risk of being breached. And you know, that data becomes a liability. And I think you wrote a chapter in our book write about in the back to basics book about your data being a liability and not an asset, about similar idea. And the justification can literally be savings in your storage. In fact, I was having a conversation yesterday with a company out of Germany, that was sharing how in their area, the individual that I was talking to in their area, they're not able to go back and get their medical records past a year, because the hospital doesn't have storage. To store those things. There's just so much data. So that speaks to your point as well, that there is more than one reason we're seeing the impact of not deleting our data show up in many ways breach and privacy. And, you know, there's the site point here about how much we're spending.
Debbie Reynolds 39:32
Yeah, I love it. Also, just just to bring on briefly, you know, Chris Roberts made this point as well. And I agree with him. So I'm old enough to remember when people didn't connect everything to the Internet, right? Yeah. So my everything needs to be connected to the internet, especially some of the older data. So I think people you know, I think now because people are so in that mindset that oh, you know, let's turn on web services for this or that. You know, I remember when people had that discussion of like, should we put on the web or not? So we enable it for the web or not. And now it seems like it's almost automatic. So I think companies need to rethink that as well.
Arti Raman 40:17
Yeah, I would agree. I've been in quite a few conversations where companies are asking us making sure that we're offering our technology on prem. You know, before it used to be, Hey, are you are you cloud? Are you multi cloud? Are you hybrid cloud? And are you SAS? And those were the fashionable things to be? And now, you know, the question in, we're getting those questions as well. But we're also getting the question that, hey, we also want to make sure that you can offer this on prime, because some of our critical items of systems and data as we are now thinking better have it offline, or in our own control or on our own premises. So definitely, I see that. I also have a side thought that is a little bit of a ship that has sailed, right? So there's no getting away from protecting our fully connected infrastructure as well right?
Debbie Reynolds 41:16
I think so. So if it was the world, according to already, and we listen to everything you said, What would be your wish for privacy, whether we technology or law anywhere in the world?
Arti Raman 41:30
In my opinion, we need to move from a state where we are figuring out who to show data to who do not show data to I mean, right, managing that where data is available, and then we figure out, you know, who shouldn't see it, and flip it to a state where the default is private. Like that, I think is like a fundamental shift in how you think, right? So you manage by exception, instead of writing the rules on on, who should you turn it off for. And today, pretty much every system I've seen is wired the other way, where data is clear tax, and will mask it, you know, will be like, hey, this person should shouldn't see this, but this person shouldn't see this other bit. But there is a super user somewhere there is a manager owner, somebody that gets to see everything. And I think that change will change the game where that default is private, it is encrypted, it is tokenized. It's math, it's not even, it's just not there, it's not available. And then you manage by exception, who gets to see what, and I think that solves so many problems. And it forces us to think about who really needs the data? Because today we think about, you know, who is it that we want to block, hey, this is our enterprise, we have everything, but oh, that person over there is a third party. So you know, we kind of want to make sure they don't get our data, but everybody in this perimeter gets to see it sort of needs to be the other way where nobody gets to see it. And even internally, you say, hey, do you really need it? And do you really need it? And of course, the third party doesn't need it either. So my opinion, having that default is super important.
Debbie Reynolds 43:08
That's brilliant. I love that. Right? Well, because you think the internet was was built for sharing. So it's not it wasn't built for security, right. And then a lot of apps that have data, they were built to store data forever, like not to let it go. So some of them have feature or, you know, I've seen products that have features that wouldn't let you get the data out of it once you put it in there. So I think we just have to, we need to think the opposite way now. So I agree with that.
Arti Raman 43:39
Yeah, yeah. And I think a lot of change, right? Because some of these these instrumentations are baked into our lives. So I heard somebody say the other day we got into this mess one system at a time we're gonna get out of it one system at a time I kind of resonated with that. Although I you know, wish there was some large scale way of solving the problem, but I think step by step. Yeah.
Debbie Reynolds 44:02
Well, thank you so much. This has been a great session. I'm sure the audience really enjoy it. It's always a thrill collaborating.
Arti Raman 44:11
Thank you, Debbie. Thank you for having me. It was great to share my thoughts and as always, you have such a loud voice in the in the industry. So I appreciate you giving me an opportunity to have this time. But we'll talk soon. Thank you. Take care.