Lockdown 2018: The Cyber Tsunami – Current Trends in Cybersecurity


>>And it’s my pleasure to introduce our first afternoon
speaker Heather Stratford. Heather Stratford is no stranger
to a lockdown conference. We were fortunate enough to
have her last year as one of our keynote speakers and
she’s back again this year so we’re really especially
excited about that. Heather is the founder and CEO of Stronger International
Incorporated. Her experience ranges
from technology startups to legacy industries
like construction and traditional publishing with having launched two
International companies of her own, Moxie Marketing
and Stronger International. She now specializes in startups
and young organizations. Heather has an MBA in
International Management from the Thunderbird School
of Global Management and a BA in Communications and
International Relations from Brigham Young University. Please join me in a warm
welcome to Heather Stratford. [ Applause ]>>Thank you. Can everybody hear me OK? All right. The toughest spot is
right after launch. All of you are going to try
and going to sleep on me and it is my job to make
sure that doesn’t happen. It’s a really important
topic and one that I speak on quite a bit. But let me just tell you
a little bit about myself, because one of the things
that’s hard when you come to a big conference is
you kind of detach, right? You can sit there
and check your phone and not interact very well. So let me tell you a
little bit about myself. So, I have five children. I have been to 35 countries. I love making crepes
for breakfast. And I am a pretty decent
mountain biker and can go down some Black Diamond
trails like nobody’s business. So, that is– that’s a
little bit about who I am. So today we’re going to talk
about the cyber tsunami. And I like that word
because it’s not overly used in the media today but it
really brings out this idea of a huge wave coming
towards us. And we’re in the industry. We know it’s coming and
oftentimes we’re almost like the bell ringer, the wave
is coming, the wave is coming and we’re trying to let other
people realize what’s really coming our direction before
it pummels the beach and takes out the pier and
everything else. And so, this is a very accurate
word for where we are right now. So, I’ll just keep talking that
cyber tsunami is the topic. And we’re all those
bell ringers. But there are several things
that are coming our direction. We’re an industry
that’s changing rapidly. So, 20 years ago, you didn’t
have data protection officers, you didn’t have cybersecurity
CISOs. I mean that wasn’t
in the lexicon. It just wasn’t there. And so, things have shifted but
they’re continuing to shift. And so, my talk today is on
all those different things that are on the horizon. Sometimes you get involved in
your daily job and you’re busy, you’re putting out fires,
you’re head down looking at what you have to look at. And it’s rare that you lift your
head, you look around and say, oh my gosh, things
are really changing. So this is have you think
about what’s on the forefront of our industry, what
is changing things now and what stayed the same. All right, perfect. Thank you for you help. OK. So, I love this image. I think all of us can relate
to this, because you look at it and you say, oh yeah,
head in the sand. How many of you have
some stakeholder that’s in either your department or
above you that this represents? Come on, hands up. Do you have anybody in
your organization who says, well, that’s not a problem? Well, we didn’t have to deal
with that five years ago. Well, why do we need
budget for this now? What do you mean
it’s a regulation? I’ve never heard of
the regulation, right? How many of us have this? Yeah. OK. So, that’s the one
thing we have in common, right? And because our industry
is changing so rapidly, this is inevitable, right? Our job is to help explain this
is why, this is what I need, and this is how it’s going
to help the organization. Whether that organization
is a large university like the University
of Wisconsin Madison, whether it’s a small company
that’s privately owned, or whether it’s government. Everybody needs to know
why is it important. So the data breach statistics. I took this about six weeks ago. The numbers are perpetually
changing. But the main thing
is since 2013, the number of stolen
records increases, increases, increases, right? This is not new to us. But it’s great for you to be
able to tell those stakeholders, hey, everyday, everyday? That’s a lot of, you
know, has a zeros there– I’ll put my glasses on. I’m starting– I just
these like three month ago and I’m still getting
used to it. OK, every second, 58 record
are solved every second. That didn’t happen
20 years ago, why? We had our own little network,
we weren’t connected in, we didn’t have cloud, right? We didn’t have all these other
things that are evolving. So there’s the problem, right? So how are we solving that? OK. Current trends. We’re going go over all
these areas, increased cost, IoT attacks which we had a great
presentation on this morning. Health care is a targeted
vertical and why health care. The shift to crypto
mining and what that shift of crypto currency is doing. That also involves
some blockchain, right? And then more regulations
and what that regulation environment
means and how it’s changing. So, the current trends– let’s
talk about increased cost. OK. So, how many of you
have an increased budget from three years ago in
either IT or in security? Increased, do you have
an increased budget? OK. So, the average is somewhere
between 15 and 20% increase, but that takes into account
all of the smaller companies and enterprise, right? But there’s more people. There’s more things. This is a specific instance
which I like to look at because it has so many
different characteristics of what is common nowadays. First of all, how many of you
are familiar with Paras Jha? He is the one– OK, I see
one person back there that’s really brave. Nobody else? Directors? OK. All right, so this is
two people, two people. All right, so he was a student,
a very bright student who got into the system and said,
well, what can I do, what can I do, what
can I do, OK? Still lives at home, he
decided to create some malware and he decided that one
of the targets would end up being the university
which he went to. You know, it’s back in the day where you were a high
school student you wanted to change your grade
from a C to an A, right? OK. So, it’s hacking the system. So, he went beyond
that and actually shut down the record system
and slowed it down and he targeted it at
a very specific time so that it would make the most
disruption for faculty stuff and student sign me up. OK. They estimate that
the cost was between– And I think this
is a huge range. I mean, I think lawyers got a
hold to this so I have no idea. But somewhere between 3.5 and
$9.5 million was estimated as the damage that
they incurred. Now he pleaded guilty in a Trenton courthouse
to this offense. What’s sad is they can’t pin
all the other things that he did on him, because he gave his
secret sauce to other hackers and they went along and
helped and the virus of 2016 is attributed to. Now, what do we learn from this? This is something that’s
going to happen more and more. First of all, now he
was in faculty and stuff but it was an insider
threat, right? It wasn’t somebody completely
unfamiliar with the system. Another thing is that it
took a while but finally went through that legal system. How much did it cost
the university? A lot of money. Now, in response to this,
they have put 3 million in the past two years, and that
statistic is about a year old, into upgrading teaching
training, et cetera, to catch up. So this is a trend. Increased cost both on how
much is in your budget, how many people you have to
fight it, but also it crosses that legal side, right? And when you cross the legal
side and you start racking up, then all the costs
are increasing. OK, let’s talk about
IoT attacks. So with a great presentation
this morning, and I wanted to go into just this one– a
couple specific examples. So, medical is a
specific example of where IoT becomes very scary. And the reason that we
know about a lot of this is because the media
picks up on it, right? When you start saying that
you’ve got baby monitors and heart defibrillators
and different things that are pacemakers that are
very tied into a person’s life of death situation, then all of
a sudden you have a headline. It’s sensationalized. Does it mean that it’s the
only place it’s happening? Of course not. So, they say that 4 point– 8.4 billion connected devices
were catalogued last year, so 8.4. So, what’s the guess for 2020? At a year and a half away, how many connected devices
on IoT are estimated? Anybody going to be brave? Say it. Say it louder. [Inaudible]. Yup, yup. So it’s between
20 and 21 billion devices. Look at that exponential growth. We’re talking about trends. So when we have that
presentation this morning that said scan your
university, scan your company, figure it out what IoT devices
you have, these is the trend. You cannot put your
head in the sand on IoT. So, let’s look at what
this particular attack was. The recall was for 465,000
pacemakers and pacemakers, right, life or death, making
sure that heart beats. There’s a reason that they
disconnected former vice president Dick Cheney’s
pacemaker because they were
concerned about that as a hacking potential, OK? So, St. Jude Medical was
the original producers of the devices and
they were later bought out by Abbot pacemakers. I’m not sure Abbot really
knew what they were getting but they got it anyways. And this shows us another trend. As companies gobble up other
companies, what happens? You get their staff, you get
their IP, what do you also get? You get their risks and
you get their policies in what they’ve done, right? So, right here, Abbot pacemakers
inherited a huge mess. Do you know the most
recent patch to these pacemakers,
was in April of 2018. OK. So it’s a continuing risk
and it’s a continuing problem. Talk about their bad press and
publicity, it was huge, right? They bought something
they thought and it kind of unraveled in the
media on this. OK. So what did we learn
from this IoT attack? Medical is a huge vector
that is being attacked. It is sensationalized in the
media and yet it is a place where they’re patching– the other thing is St.
Jude continued to send out the defective devices
after it was identified. OK. Because they
have an inventory. It was a dollars and
cents move, right? They had an inventory of product that they didn’t
just throw away, they continued to send out. So, OK, IoT attacks. This one I think is great
because it’s kind of fun. OK. Have you heard
about this one? A Darktrace CIO talked about
this in one of her talks. The internet connected
thermostat in the lobby aquarium
of a large casino. Who has heard of this one? OK. I think it’s great because
I can just see a little fish swimming around and nobody
is thinking about it. But how was Target hacked? Through the HPSC system, right? How was this casino hacked– and
it isn’t unidentified casino. How were they hacked? Through the thermostat, right? An IoT device. It can be anywhere
through the thermostat. Now, what do they get? They pulled the access of
the high-roller data base with all personal information
and they pulled it back through all the way out, OK? So, what did we learn? Use good security products. Identify even what IoT have because it is the
trend of the future. This talk is about the
cyber tsunami, right? It’s as tsunami. It’s coming. What is part of that
wave– IoT, OK. Internet of things
is part of that wave. And educate your stuff, right? What’s our first picture? The guy with a head in the sand, you cannot keep your
head in the sand. Twenty to 21 billion devices within the next 18
months, right? That’s a lot of devices. All right, so what’s our next? Legacy of gadgets. So, the problem is we
have a lot of gadgets that are already
out there, right? It might be OK that we’re
continuing to think about, well, how do we make the
[inaudible] from this point on? But how many things are
already in the system? How many things are
already on the shelf? How many things are already in
your closets in the warehouse? They’re already created. That’s a problem. So, there’s a legacy of
these gadgets create a lot of vectors that can be attacked. I have an associate, a friend
who is the founder of Bugcrowd. Who here is for the Bugcrowd? All right, a couple of
people, a couple people. So, I love it because we are
both female entrepreneurs in a very ever changing
environment and she have the great
idea of saying, hey, if you got the devices, let’s
have white hacking and figure out where those bugs are. So, there’re a whole evolution
of people, high schoolers, college kids who’ll say, hey,
I’ll try and hack that device. And they go in and they– if they find something
they got rewarded, right? And so, they have a
whole system set up. Now, how does this sit with you if you are let’s
say a baby boomer? What do you see as flaw of this? Do you see any flaws? You’re purposely having people
try and hack your product? OK, I see some laughs. What’s the problem with this? Is there any? OK. [ Inaudible ] Yes. So that’s the whole point. So it’s like a marriage. They say we really want
to make sure we’re safe and they’re actually
hiring people to do this. It’s the new wave. We’re talking about the
wave of the future, right? The wave is, if you have a
small company and let’s say, I don’t know, you
have a pacemaker. You might have a
staff of 10 people. Maybe your IT team is 20 people
but you only have 20 mines. What happen if you
could get 100 mines and they were all
thinking about security? How valuable is that? That’s very valuable. And so, crowdsourcing of IoT devices is the
wave of the future. And they’re not the
only ones doing this. There are other crowdsourcing
that is out there. I think they do it well and
are continuing to move forward. So, if you haven’t learned about crowdsourcing
hacking, go search it. This is the way that you– we are going to safeguard
what we have. Can you– new malware. So malware is not decreasing at
all, but it is evolving, right? So in the old days,
we might have had the “I love you” virus
that came through. Who remembers the “I
love you “, virus? All right, OK. We had people attacking
certain things. We look at malware and there
was a 42% decrease in malware when ransom– as
Ransomware took over, right? It is a part of the
malware spectrum. And it’s funny I have a
presentation where you look at malware and you have a couple
of malware that has come out and then it exploded
in 2015, 16, and 17. Why? Why did it explode? What’s behind the malware? Who is behind the malware? That’s a better word. Who? Who is behind it? Be brave. Come on,
who’s behind it.>>Organized crime.>>Organized crime. OK. Bad actors, organize
crime, however you want to verbalize it there are the
good guy, bad guy mentality. Organized crime is
trying to get money. And they’re doing it the
easiest way possible. If the malware works,
they’ll get it that way. Fishing works, they’re
going to do it that away. If spear-fishing works,
they’re going to do it that way. And they’re ever evolving
because as you clamp down on one area, they’re
going to shift to a new area. So Ransomware was the big
one that came out in– who here has been
hit by Ransomware? Anybody? OK. So, I’ve helped people
who have been hit by Ransomware buy haven’t
personally been hit. I use to give talks and people
would say, well, it’s not going to happen on a personal
device and I’m like, why? What a criminal not take
a personal credit card but take a business credit card? No, it’s about the money. So, it doesn’t matter
where it is, it matters if they can get the
money and how easily, right? I want to talk about this
increase in electricity usage. Who here is fairly familiar with or who has any crypto
currencies in the room? Who here owns crypto currencies? Raise your hand. A couple of people. OK. So, huge phenomenon
that’s part of this wave that is changing
our environment. And what’s different about it is that is based on
blockchain, right? And blockchain is
pieces of information that are stacked upon each other that then are verified
by other computers. So what does that do
to our computer usage?>>Goes up.>>Goes up. It goes through the roof, right? So crypto mining is all
those computers, logging and putting together, those
blocks of information. So if you don’t know about
this, if this isn’t part of what you read,
Google it, search it. This is part of the
wave of the future. Now, it was interesting
to me because I am working on some blockchain
entrepreneurial things and I ran into new people on
my– in my building. So, I have a certain suite
with, you know, offices. And then on the other end,
somebody had moved out and there were quite
a few offices open. And I said, so who’s moving in? And I discovered I have
crypto miners that moved in down the hall for me. Isn’t that ironic? I used cybersecurity and
crypto miners moved in. So I said great. So I go off and I chat with them
and we go to lunch occasionally. And one of the reasons that
they are specifically in my neck of the woods is because I
am from Spokane, Washington. That’s where our
headquarters are. What’s unique about
Spokane, Washington? Say it louder.>>Cheap power.>>Cheap power. OK. How much do you pay for
your power per kilowatt? Do you know? You all run computers,
you all have a house. How much do you pay
for your kilowatt? Too much. I like it. I like it. OK. So, in Spokane, we pay
5.6 cents per kilowatt. So that’s about 40 to 50% lower
than the national average. So the highest rates
are in South Carolina. Now, that’s the whole state,
maybe different regions or lower, but the west
tends to have lower power. So Utah, Colorado,
Washington, right? We’re around a lot
of dams and hydro, and so we have very low power. So guess who’s moving
in everywhere? Crypto miners. I’ve got crypto miners
literally down the hall for me. This is the wave
of the future, OK? Now, going back to the
Ransomware, it’s all interwoven. Because now, we see a slight
decrease in Ransomware in the beginning of 2018, why? Because those bad actors
have discovered it’s easier to get passwords or
get into crypto mining or to get somebody’s
crypto currency password than it is to do this. And so they’re shifting. Will it shift back? I bet it will by
the end of the year. It’s going to shift back. But right now, it’s
the hottest thing. So stay with what works. Ransomware attacks for
three-fold in 2017. Now I just mentioned
that in the beginning of 2018 they [inaudible]
but it’s because what’s easiest, right? What’s easiest? Undetected, if they
say undetected longer, that’s easier, right? Most traditional anti-malware
tools rely on a [inaudible] file to detect and block the threats. What’s going to be easiest? So, when you’re thinking about
your strategy for cybersecurity, you have to put on
that mental hat of if I were a bad guy,
how would I do this? You have to say, if I was
trying to get into the system, what’s my weakest point? And when you can
put that hat on, then all of a sudden you can see
the places you need to work on. There are trainings where
we put people through and basically red team
blue team go after and say where’re
the vulnerabilities, where’re the holes? That’s what that hat
you have to out on. OK. How is fishing evolved? Who in this room
helps run a fishing– or is an HR or security and
helps run anything with fishing in their organization? Raise your hand. OK. So, fishing is evolving. Where was it before? Went after the individual. And it still does but the latest
trends are fishing is going after the whole organization,
OK? Not [inaudible] favored
this method, right? So, because it will look at
settings that you have set up and it will be able to
go into the backdoor. Attackers are increasingly
invading detection by living off the land. What is living off the land? Who knows what that means? Go ahead. Say it loud. [Inaudible]. Isn’t that scary? Did you hear him? He said using existing tools
basically to attack you, right? So, I– think it’s very scary. But if I had a black hat on,
I would look around and say, you know what, this
is the easiest way in. I know how they’re
going to configure it. So I’m just going to
use it against them. PowerShell, Windows,
Credentials Editor, all of these are part of that. OK. So how many in this room
use one of these platforms? Raise your hand higher, higher. OK. Realize that that is where
the attack vectors are shifting. OK. More regulations. Regulations are a huge part of,
what, shifting and changing. Now I speak about GDPR. Does everybody here–
Raise your hand if you know what GDPR
is, general data, right? OK. So, it has a lot of
media play because May 25th, it became the most recent but also the most stringent data
protection policy in the world. Now, Australia might
debate with me on that and some other people. But for 28 nations,
for 512 million people, it became a de facto, OK? So what’s different about this? The EU has determined that
they feel a digital footprint of a person is a
right for price. So, Thomas here sitting on
the front row, his information if he’s from France or
if he’s from Germany or any other EU country,
it is his information which means he has rights
to that information, rights to be forgotten
or rights to be– to know what they’re
doing with it, to know what they’re
selling into a third party. I’ve often hated signing,
putting my email address. How many of you have a
fake email address just so you don’t have it? OK. You have to, right? Because if you’ve given
your real email address, it ends up on, who knows where, and you didn’t give them
permission to give it to that third party who sold
it to the next person and all of a sudden you get
all this junk, right? That’s the whole issue, right? That’s the issue. Do you have control and should
you have the right privacy of your own data? The EU has come out and
said, yes, we believe you do. Now, the US right
now is still kind of behind the scenes on that. They don’t– We don’t have
at any place that is– right, we have the right to
life, liberty, and the pursuit of happiness, right, but not
to the privacy of our data. Now, will that change? Maybe. But this is not
a debate about GDPR. This is about looking at
what the future is bringing and the future is
bringing a tidal wave. And part of that tidal
wave is regulation, because everybody said, how
come I have to have a second and third email just so
I don’t get junk email? How come, right? Well, the reason is because
we don’t have good laws or we haven’t really– it
hasn’t caught up to it, right? We’re evolving in IT and as a
nation and as a world faster than people can regulate it. Well, regulation is coming. So, as you see this
coming, it is here. So, the GDPR went
into affect May 25th. Already, there are fines going
or they’re starting a process. Now, I had a conversation
with somebody at lunch about the GDPR. And what did we discuss? It’s really about how
to change behavior. They’re not trying to
say, hey, you Google or Facebook who’s
here, or anybody else. We want to go after you. What they really want to do
is change people’s behavior. And what did they want? They want to have people protect
data, good data protection. Good stewards. That’s what I like to say. I like to say good stewards. Are you maintaining your
stewardship of my data? Can I trust you? Prove it to me. And the way you prove it
to me is be transparent. Let me choose. If I need to break off our
relationship, let me do that. And that you– then
don’t sell my information to more people, right? It’s transparency
and data protection. It is going to revolutionize
and change marketing, right? What does marketing
do right now? Behavior. Spam. But they know everything. They know that I searched up,
you know, going to Hawaii, so now I get all these
ads for Hawaii, right? They know that I searched this. Like marketing is
going to change. So how was it really– how
are they going to do that? How are they going
to stratify that? That’s the new wave
of regulation. And people are arguing about it. And I’m not here to
tell you it is right or wrong, it’s good or bad. What I’m here to tell you
is it is here, get your head out of the sand because it is
coming, you can be influential in it and you could help
your organizations understand it better. But it is not going
away, it is here. So more accountability for both
public and private sectors. For some people, is this scary? OK. Raise your hand if you
think the GDPR is scary. OK. It’s kind a scary. If you understand it. Now, I know a little bit– I
know too much about the GDPR. And I’m like, I mean
the documentation side, you got all of these
documents, you got a– I mean, you think [inaudible]. OK. GDPR documentation
is way worse, OK? It is like way more in depth. And you kind of have to
know all these legal terms. And it’s there but it’s here. We’re not discussing it, like,
oh, maybe in the future, right? No, no, no, it’s here. Get your head out of the sand. Now, what is the US
doing about this? Well, right now, we’re
scrambling in trying to figure out our own identity
on these issues. So you look at New York. New York recently
passed the NYDFS. So, the New York Department
of Financial Services in February 16th of 2017, passed
more stringent regulations for anybody that is
in insurance, banking, loaning money, you
know, all these areas, anything with financial, right,
that hits through New York. Well, how many companies
are in financial that don’t have something
in New York? I mean, really, right? So, formal risk-based
cybersecurity programs, they– it is a 14 point cyber security
policy that is mandated, 7 point incident response
plan that is mandated in the regulation, OK? Seventy-two-hour notice
in the regulation. So there’s crossovers
between this and the GDPR. Are they the same? No. Are they both trying to
think about how to regulate and properly address issues? Yes. This is what New
York has tried to do, OK? California, who’s
familiar with the AB 375? OK, we’ve got some people
who do know what it is, OK? This happened about
the same time that the GDPR was going through, but the GDPR got all the
press coverage, right? Instead, this is about rights
of privacy for Californians. Now, California is the fifth
largest economy in the world. It used to be sixth. It’s overtaking Britain again. And so, it is now the fifth. So, some people say,
as California goes, so does the rest of
the nation, right? Mainly because auto
manufacturers [inaudible] other people if it has to be
compliant to California, it’s kind of a de facto, right? So, California passed this and
it has some crossover to GDPR but very different
in other ways. It passed to the legislature
but it has not been ratified by California residents. There is a18-month window. It is not going into effect
until January 1 of 2020. And they’re already
trying o clarify ambiguity. Because that’s the
problem, right? As an IT professional, you’re
like, well, what does this mean? How do I actually
incorporate this, because I can’t tell what
somebody in Washington or somebody in Sacramento
[inaudible] what does it really mean? So they’re trying to
clarify it and understand it. Hopefully it’ll get better
and not worse, right? But they’re doing
a huge attempt. Now, I put up here one of the
things that’s really different. So, it allows consumers
to sue companies for unauthorized
access as a result of the business violation. All right, this is a
big shift in regulation. So, what does California
regulation will do is let’s say, I have a company in California
and I make pacemakers. And for some reason,
I didn’t do my job and I didn’t hire
the right people and I didn’t have my
security plan in place and I was very negligent. If I get breached, then those
consumers can actually sue me. This is where IT is going to
cross over into legal, OK? Now, this is kind of precedent
area and it’s somewhere between 100 up to 750. And here’s the catch. Without having to prove
they have been harmed by the data breach. So, you can probably
easily say a heart monitor, right, or a heart pacemaker. Oh, I’ve been harmed. But if you don’t have to
prove that you’ve been harmed, that’s a whole different
ball game. It just has– you have to
prove you’ve been breached. All right, so the Joneses, trying to keep up
with the Joneses. It is a hard job. You look at the person
next to you and go, oh my gosh, are you doing that? Are you set, right? You need resources, training,
don’t have this mentality, you don’t have to keep
up with the Joneses. All you have to do is keep up
with you and your organization, because wherever you’re at,
you can become stronger. It’s actually the
name of my company, because some people we talk
to, they’re way down here. They have no policies. They have no infrastructure
like they’re way down here. We help them move
up one level, OK? Then you have people
who are way up here. They’ve got their 72
incident response plan, like they test it, like you’re
like, wow, they’re rock stars. They have all this together. Well, they might be up here. But you know what,
they can improve too. Because maybe they don’t know
anything about the GDPR and all of a sudden they
have to be compliant. So, everybody has
a place to move. Do not feel like you have
to keep up with the Joneses. Take inventory of where you
are and move from there. So, how do you stay current? Expert training, right? Because what you learn in school
has already changed, right? Connecting to community,
that’s one of the reasons that you’re here at this
conference, you want to be able to say, hey, I was there, I
was learning, I was connecting with people, connect on
line, executive leadership. Make sure your executive team
understands the problems. Don’t speak Wookie, right? Don’t speak Wookie. Make sure they get it. Spend time making
sure they get it. Use an intermediary. Use somebody who doesn’t speak
Wookie to help interpret, OK? I know that you can do
it and become stronger. And if you realize this
wave that’s coming, you’re better able to not
stress about it and be able to plan what you’re
going to do about it. And I will take questions now. Thank you. [ Applause ] Does anybody have any questions? Go ahead. So that’s
a good question. If you didn’t hear it, is
the trend with the GDPR– is it going to more
privacy officers and privacy not just security
and are they separate, right, are they separate? And they need to be. So, I actually had this
conversation over lunch where can you have the main
security person also be the compliance officer? Well, you can. Ideally, some people might
to begin with but, no, they have to be separate. And we haven’t had a lot of
conversation about privacy. And in your world
as security people, no matter what your job role
is, privacy is now going to be talked about more
so than it ever has been. Ten years ago, did we
talk about privacy? Boy, oh my gosh we
got all their emails. Man, we can send
junk to them, right? I mean, we didn’t talk
about privacy but we do now. And yes, they are
separate roles. So thank you for the question. OK. Thank you very much [ Applause ]>>Thanks, Heather. You not only kept us
awake after lunch, which you gave us a lot
of food for thought. See what I did there?

Leave a Reply

Your email address will not be published. Required fields are marked *