Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:21  

Hi, Jodi Daniels here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:35  

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from

 

Jodi Daniels  0:51  

data breaches. And this episode is brought to you by Mr. Coffee, anchored us some coffee, Red Clover Advisors. We help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields including technology, SAS, ecommerce, and media and professional services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. You ready for a fun podcast Monday morning recording time.

 

Justin Daniels  1:32  

Did you realize three weeks from almost now you’ll be taking the stage in San Francisco.

 

Jodi Daniels  1:39  

I will. It’ll be super exciting. But we’re gonna bring ourselves back to today because today we are chatting with Amanda Gorton, who is currently the CEO at Corellium, which she co founded in 2017. Previously, Amanda co founded Virtual which was acquired by Citrix. Amanda grew up in Kansas City and fun fact, has a master’s and land from Yale. Welcome to the show.

 

Amanda Gorton  2:04  

It’s really great to be here. Thank you so much for having me.

 

Jodi Daniels  2:08  

Absolutely. Well, Amanda, you have done some really interesting and exciting things in starting, not one, but at least two companies. So we’d love to hear a little bit more about your background. And what brought you to where you are today.

 

Amanda Gorton  2:24  

Sure, sure. Well, as you as you noted, already, it’s been a little bit of a circuitous journey. I don’t think when I was in college, getting getting my masters, I probably wouldn’t have imagined myself founding a tech startup. But here we are. So how did I get here, I, when I when I graduated, I moved to San Francisco. And I was I was working as a writer. And and it was a little bit of a struggle to support myself in San Francisco on a brighter salary, as you can probably imagine. So I was kind of casting around for a little bit higher paying salary job. And I wound up getting recruited by a startup in Florida, which is where I am now. They were in the mobile device management space, which was completely foreign to me at the time. But it sounded really exciting. And they had a really great position and it paid a lot of money. So I moved to Florida and and I discovered that I was I really love technology, I found it really fascinating. I found the problems that they were selling, intriguing. And while I while I was at the startup open peak, I met my now partner, Chris, we who at the time was working on a project that he called IMU, which was an iOS emulator. And, you know, as we got to know each other, and the more we talked about it, the more I felt like there was a real opportunity for this technology to solve critical problems in the enterprise testing space. Particularly, I think, if he’s ever sort of given thought to, you know, the mobile app development process, which I’m sure not very many people have. But there are people out there who do it is really challenging because you have to test across all of these different device models and all of these different versions. And so what companies usually have to do is buy a bunch of these phones and have this device lab where you know, QA testers and engineers can go like check out these phones and and use them for the development purposes. It’s really cumbersome. It’s really challenging. You know, phones get lost, they get broken, you have to replace them. It’s a nightmare. So we both felt like a you know if you could create a kind of virtual version of this. So you could do it in the cloud instead of physical hardware, you would really solve a, you know, a serious impediment to creating stable, well tested software on mobile devices. So we co founded Virtual together. And it was it was a great success. And it was so successful that Citrix wound up buying it like six months after we started, which was fabulous. And we love to go work at Citrix. And we got to meet Mark Templeton, who was CEO at the time, he’s become a really great friend and mentor. He’s now on our board at Quilliam. So it was it was a great journey was a great learning experience, from end to end, sort of after we read Citrix for a little while, we decided, you know, hey, like, we still haven’t really solved this problem, this technology hasn’t really taken off within Citrix. Maybe it’s time to try again and see what we can do a second go round. And here we are. So yeah, so that’s, that’s kind of how I, how I got here.

 

Jodi Daniels  6:04  

That’s a really cool story. I love it.

 

Justin Daniels  6:06  

So basically, you’re saying you and your significant other start businesses together? Mm hmm. I’m just curious, what is that like? Because people ask Jodi and I all the time, how on earth? Can the two of you be married? And be able to work together? How do you manage that?

 

Amanda Gorton  6:22  

Yes, it I think it has its pros and cons. You know, it can be really great because you have a kind of implicit communication that other co founders don’t. So you can, you can bounce ideas off of each other. And you have more opportunity for sort of serendipitous communication that I think otherwise is commonly available. At the same time, it can be really difficult to ever get away from work, we, we really struggled to kind of like draw a line and say, Okay, we’re not talking about work, and we’re going to do something separate from work. So I think I think it has, you know, it’s like anything, it has its pros and cons. But I think, personally, I feel like if if you and your partner are a good mesh, it’s very easy to work together, because you kind of, you know, complement each other and build on each other’s strengths. And that’s kind of exactly what you want them to go from each other’s strengths.

 

Jodi Daniels  7:20  

I think we do. But the challenge that Amanda just talked about, of being able to say we’re not going to talk about work is real, just because Friday and Saturday night might be the lens, we actually conduct not mean I when I want to talk about privacy.

 

Justin Daniels  7:37  

Well, we’re here to talk about Amanda. So now that we’ve I’ve gone on that little detour. Why don’t we level set? And can you explain a little bit Amanda what are virtualization services to our audience?

 

Amanda Gorton  7:50  

Sure, sure. Right. Yes. So um, so traditionally, virtualization services are, you know, you probably think of something like server virtualization where where you’re really running sort of multiple virtual instances of something on a on a server to make that server more efficiently use its resources. Virtualization as a concept, in general, I think you can kind of boil it down to using virtual representations of physical resources to make those physical resources more efficient. So it’s about the more efficient use of a physical hardware. And so historically, you know, virtualization has primarily focused in the server industry and the desktop industry. So, So, traditionally run, you know, you might, you might run a virtual desktop, in order to enable your workforce to use, you know, to give them the power of a full laptop, to give them more CPUs, more more memory, without actually giving them a really beefed up actual physical computer. So used to kind of abstracting that physical hardware and in order to, again, more efficiently use those resources. I think for for, you know, for, for, for a less enterprise focused use case, you could kind of imagine, I think, a lot of lot of ordinary consumers might be familiar with something like parallels, which allows you to run both Mac and Windows on the same computer. So instead of having to buy two computers, one for Windows one for Mac, you can run them both on the same machine, and that gives you a more efficient use of that physical hardware. So you don’t have to buy two computers, you can just buy one. So that’s kind of the core concept of virtualization is giving you more efficient use of Have your physical resources. So Corellium kind of takes that concept. And and extends it to the next generation of computing devices, mobile devices, IoT devices. All of these, you know, these new, newly proliferating smaller consumer oriented devices. And and instead of giving you more efficient use of those devices, our technology is geared very specifically towards enterprises who need to use those devices are testing and development. So mobile app developers, folks creating new, you know, IoT devices, new smart fridges, new smart thermostats, anyone kind of working on developing these new types of devices or software for these new types of devices. That’s kind of the that’s the market that we’re really looking towards. And what we what our software is intended to do is to enable those types of developers to more efficiently test and develop on those devices, by enabling them to work in the cloud, rather than having tons and tons of physical implementations or physical instances of those devices. It’s up to us, you can imagine, if you have to develop, say, a new router, or a new thermostat, instead of shipping physical boards to each of your developers, it would be far easier for them to be able to just log onto their computer and run and test their software. So so the idea is just to make it as simple and efficient as possible for these developers to do their work to go through the software development lifecycle. Primarily because when when developers have the tools that they need to do that work more efficiently, they can do a better job. And, you know, from our perspective, what we believe is that this new generation of devices, IoT devices, mobile devices, they’re introducing this kind of new frontier of privacy questions, really questions, they’re, they’re proliferating into every corner of our lives, we carry them in our pockets. They’re in our offices in our homes. And they’re collecting a lot of data about us. And we put a lot of data on them. And so it’s more critical than ever, that these devices are secure. And, and we want developers to be able to create the most secure code possible and giving them the tools to be able to do that removes a barrier, to make me to make sure as much as possible that, that those devices are being created and insecure and well tested. Wait.

 

Jodi Daniels  13:07  

So from that angle, what should companies be considering when they’re utilizing these services from a privacy and security perspective? Yeah,

 

Amanda Gorton  13:17  

I mean, it’s, it’s a bit, I think, multi layered. So I think the first thing that companies should be considering, you know, any company creating, you know, software for these next gen devices. First of all, they should be doing this kind of security testing in the first place. And I think a lot of them aren’t. So I think, you know, table stakes is that we want more of these companies to be investing in this type of security testing, and, and using tools like ours, to perform that test. And so, so just bringing them to the table, this kind of the first step. I think, also, an important consideration for companies in this space is ensuring that security gets baked in from the start, rather than as an afterthought, you know, and that’s not necessarily even like a plug for Corellium. Just I think, in general, the more that security is thought about in the entire software development lifecycle, writing secure code from the beginning, doing that kind of security testing from the start instead of at the end. That’s going to lead to overall more secure products. And I think that you know, there are there are great companies out there that are pushing the, the the writing of secure code from the outset, secure code warrior, I think is a great example a huge fan of what they’re doing. So I think I think in general, just baking security in from the from the start is an important aspect. I think also kind So, as a general sense, whether using you know, Corellium or any service, paying attention to how the service treats security and privacy is an important aspect. You know, when you’re, when you’re an enterprise, and you’re selecting any kind of service, you really should be paying attention to how that company talks about and treats security and privacy, because you’re integrating it into your, you know, into your networks and to your infrastructure, it will have a footprint, and it’s important to be conscientious of how that might impact your threat model, or your general security practices. And I think finally, particularly when it comes to the dev test space, one of the advantages of using a virtualization service like Corellium, is in the actual the technology of virtualization itself. So when you are, when you’re doing this kind of testing, an alternative that you could use is to rent physical devices. So they there are these sort of test farms available, where you can kind of run our tests on, you know, third party devices that are hosted in a data center somewhere. The problem with this from a security standpoint is that devices don’t always get wiped properly. So we have actually encountered and heard anecdotes from our customers, where they will log into one of these devices, and it will already be signed into somebody else’s iCloud account or Google Play account. So from a security and privacy standpoint, that’s kind of a big red flag. But with virtualization really just never run into that. Because with a with a virtual device, you’re you’re creating it and destroying it. And there’s no chances anyone ever kind of coming in later and getting access to your secure information. So from that perspective, I think there’s there’s a strong security advantage to using something like a virtual device for this kind of sensitive security testing.

 

Justin Daniels  17:14  

So Amanda, I wanted to hone in on something you talked about, you said security as an afterthought. And one of the things that Jodi and I encounter repeatedly in our personal and professional lives, as you alluded to, is people not paying attention to privacy and security by design. And I guess my question would be with what you’re doing with your virtualization services, and the tools, you’re, you’re trying to make it easier? Are you starting to see that companies are thinking more about designing that code from the beginning, because when I look at web three, the XE infinity hack, when I’m working on a drone project or autonomous vehicle, I’m seeing the same stakes that you’re talking about being made across industries, because you know, as a startup, everybody’s in haste to get to market and to figure out I’ll deal with privacy and security as a bolt on once I’ve reached scale, love to get your thoughts about

 

Amanda Gorton  18:13  

yours, you’re spot on, I think it’s still a huge challenge. I mean, I think we’ve seen a few strides, you know, minimal progress, especially, you know, as as things like ransomware are sort of entering the public consciousness, and people are paying a little bit more attention to security, and maybe devoting a few more dollars in the budget to security. At the same time, I think there’s just a long way to go. I think, you know, things that seem to have a big impact, from what I’ve seen are technologies or services that really emphasize secure code practices from the outset, and training engineers to implement secure code practices. So I think that is something that’s that that at least from my perspective, I’ve seen, have a an enormous impact on organizations, because I think when when you’re starting out, especially as a startup, I mean, speaking from experience, as, as a founder, we went ran into the same exact issue, you know, we were trying to get to market very quickly. And we didn’t have a whole lot of time to really devote considerable thought to security. But what was really helpful to us is that all of our initial engineers and team members came from a background in security. So they they really understood secure code practices from the outset, and they just knew how to bake it in and we didn’t really have to put a whole lot of thought into it. And that served us really well, because now that we’re kind of getting to the place where we’re having to pay more attention to it. We have a great foundation. I think unfortunately, that’s not the case for a lot of other startups. So I think the the areas where I see the most room for improvement in this space are, you know, the companies that are tackling it from that bottom level up.

 

Jodi Daniels  20:11  

It’s interesting you say that, because what I was thinking is you probably have some good insight into the security challenges that companies are facing these days. One of them being not all their engineers come with security backgrounds. What are some of the other challenges that you’re seeing companies your customers have in this arena?

 

Amanda Gorton  20:32  

Yeah. I mean, there are so many. I think that that, you know, I, I think that a lot of companies today are still facing the same old challenges, but there may just be a little bit more of a spotlight on it. We I don’t know if you’re familiar with. So Florida is called the Sunshine State. And one of the reasons behind the name is this. There’s this what’s called the Sunshine Law, which compels all of our law enforcement agencies to kind of transparently report about what’s going on. And so the kind of upshot of this is that a lot of the weird things that happen in Florida are reported on in when it’s not necessarily done in other states. So Florida gets this reputation for like Florida man. Because there’s this transparency around kind of the weird things that happen. And so and so there’s a little bit more spotlight there. And I think maybe the same thing is happening today in security. I don’t necessarily think there’s a considerable degree more of these kind of click serious security vulnerabilities. But I think there’s a lot more spotlight on it now. And I think that, as a result, companies feel an enormous pressure to keep up with these, these increasing threats. And I think that that is creating a kind of, in a way, a good kind of pressure to invest more in security. But I do think that that at the same time, enterprises in particular are struggling to keep pace with what feels like this overwhelming influx of, of serious security threats and vulnerabilities. I think phishing honestly is a huge issue. We, every time we get a new employee, they get hit with the same phishing scam to the point where we have made it part of our onboarding process. Be on the lookout, you will get a phishing email that looks like this. A couple other, you know, companies that we are familiar with down here, get hit with with phishing scams and and you know, it’s they’re increasingly sophisticated. They, they, you know, use social engineering more often than not, and even when I think folks are kind of attuned to the fact that hey, like, be on the lookout for suspicious links. It’s not always enough. So I think five from my perspective, I think phishing is probably one of the biggest bucks that I see enterprises struggling with today. And it’s it’s a huge challenge to stay ahead of it

 

Jodi Daniels  23:19  

really is. Yep, murky smile. I

 

Justin Daniels  23:24  

guess another thing I wanted to ask you, Amanda? Well, you know, Amanda saying a lot of things that you and I are familiar with. It’s

 

Jodi Daniels  23:29  

interesting validation, it’s

 

Justin Daniels  23:30  

validation. But I think the other thing is, I think it’s really interesting how wait Amanda saw security issue was she happened to hire engineers who took it seriously. So I think that’s a really interesting way that she got it the problem because you didn’t think about it so much, because you knew that you had people on your team, who already like, yeah, I build secure code. That’s just how I roll. But I don’t think that’s

 

Jodi Daniels  23:55  

that could be a cool tagline.

 

Justin Daniels  24:02  

build secure code.

 

Jodi Daniels  24:03  

That’s how I will. There you go. But our new social media posts.

 

Justin Daniels  24:12  

Anyway, Amanda, you know, given what you do, I’m sure you pay attention to if we step back and look at the privacy and security landscape from a regulatory perspective, the fifth state I think, what were your alma mater is is past the privacy law. Go Connecticut.

 

Jodi Daniels  24:29  

And I grew up there for any of our listeners who have no idea why I’m cheering.

 

Justin Daniels  24:37  

And then you’ve watched the Biden Executive Order Sisa SEC on down the line. And so I guess my question is for what you’re doing, it sounds like the evolving regulatory landscape where these different federal regulators or state legislatures are starting to pass law would be a net positive for how you are going about this. shooting your business. And it sounds like regulation for some companies that provide that are doing what you do. That’s really helpful.

 

Amanda Gorton  25:07  

Yeah, I can’t disagree there. I think on the whole, though it’s probably beneficial for everyone. I think that, in general, in the privacy security landscape, at least, you know, from my perspective, I see the regulatory aspect as part of a holistic system. Ultimately, I think a lot of the push for privacy really ought to come from the consumer. And it really ought to be implemented by enterprises buy by companies providing services. But I think sometimes that’s just not enough. So I think it’s important to have some regulatory guidance to make sure that we stay on the right track. But ultimately, you know, from my perspective, I think consumers really have to be the ones driving this and raising that kind of awareness about privacy concerns, I think is absolutely critical for folks in our industry, I think it is become, it’s becoming more of the A part of the public consciousness these days, as we sort of see ransomware attacks in the media. And I think people are starting to realize that as these technologies evolve, the privacy itself is, you know, becoming a different beast in and the idea of privacy, what privacy means is really evolving. I am not sure that the majority of consumers today really fully grasp the implications of, you know, data collection and the use of these new proliferating technologies. But I do think it’s absolutely critical for them to be paying attention to it and to be cognizant of how it does impact, you know, their, their personal privacy. Yeah, I, I just, you know, it’s something that kind of keeps me up at night. And so that’s honestly one of the reasons that I got into this space. I think that the this this, you know, I call it this next generation of computing the races, but it’s not really just, you know, mobile devices and IoT, it’s really, you know, these SaaS services, you know, autonomous drones, it’s, you know, it’s all of these new technologies that are kind of proliferating across across the ecosystem. And I think we’re really, I mean, just starting to see the the privacy and security implications from that. And it takes folks like, like you speaking at RSA next week, to really, you know, help people understand the broader implications of that. So

 

Justin Daniels  27:49  

man, I want to invite you to talk a little bit about so you know, you’re a founder, you’ve done it, you’re doing it again, and you’re building a company. And you talked about the consumer being at the forefront of privacy. But the federal government has been stymied from passing any kind of overarching privacy or security regulation. We live in an environment now where there are 52 state breach notification laws, we have now five states with privacy laws and other 20 that are considering. So tell me from a entrepreneurs and founders perspective, how do you feel about the cost that you might have to incur to comply with this patchwork quilt of regulation that we have in this country, as opposed to Europe, which has GDPR?

 

Amanda Gorton  28:32  

Yeah, yeah. That’s a great point. I mean, it sucks. Yeah, it’s a nightmare. It’s in the United States.

 

Justin Daniels  28:42  

That’s another I think that’s another bumper sticker. Double here. Yeah.

 

Amanda Gorton  28:48  

You’re right. I mean, it really, it’s just, it’s it, it’s bad for business, frankly, it’s bad for the consumer. It’s bad for business. It’s, it’s just a nightmare. And I mean, to your point, Europe has more unified regulation, it makes it far simpler. And by the way, they’re they’re unified regulation is fairly like, I want to say progressive, but like it takes privacy very seriously. And I think we need more of that in the United States. kind of the point we were talking about before, I don’t think consumers necessarily know enough to be well educated enough to demand the kind of protections that they need. And I do think there’s, there’s room for us to improve here in the US in terms of the regulation that, yeah, you know, that that should be in place? It’s, yeah, I mean, you know, I do think there’s, there’s some, you know, there are things that enterprises can do to take privacy more seriously. You know, I think there are companies that are on the forefront of of privacy considerations and that are go out of their way, I think to protect consumers. But I think often they’re motivated by laws overseas because they’re working overseas. So they just match what they’re already regulated to do in Europe or otherwise.

 

Jodi Daniels  30:16  

But we can certainly have this debate national state for hours. Since you spent so much time in the privacy and security space, what would be your best personal privacy or security tip that you would offer?

 

Amanda Gorton  30:32  

Oh, that’s really, I mean, I feel like, you know, there’s, they’re sort of, like table stakes, right, like, have good password management and keep your software up to date. But I suspect that a lot of your audience probably already familiar with those types of tips. There’s no bad tip.

 

Justin Daniels  30:53  

And feel free if you’d like to talk about those tips, because you’re quite right. But it always requires saying, again, because it never ceases to amaze me that people don’t pay attention to those two.

 

Amanda Gorton  31:05  

Yeah, you know, as I was just thinking about what you just said, like pay attention. I think maybe if I was gonna give any tips, it’s that like, pay attention to things that impact your privacy. It seems like, you know, so I had a friend I was talking to the other day, who had downloaded an app from the Apple App Store. And she’s complaining about it. And she she was complaining about how it wasn’t doing what she thought it was supposed to be doing. And so we went and looked at it. And it turned out, she had not downloaded the app, she thought she’d download it. So she went and searched the App Store for this app. And she downloaded the top result. And it turned out to not be the app she wanted to it was an ad, it wasn’t like it wasn’t the actual app. And it was a social media app. So you can imagine that kind of privacy implications there. Like she’s posting things and, and so I think in a lot of ways, I think we were a little bit complacent when it comes to privacy, I think, because to a large extent, we kind of rely on the vendors to take care of our exports. We rely on Apple to vet apps that we’re going to download. And we rely on, you know, our cloud hosting providers to keep our data secure and private. But we really should eat and we should we should be very conscientious about the services that we’re using the settings that were that we’re enabling. You know, I if, if I could probably give any tip, I would say like don’t use apps. Just don’t don’t download any of them. I don’t know. Did you see the there was that? What was the company? I think it was anomaly six, I want to say the one that was there was an article about it recently, they they was showcased for being able to purchase location data and use it to track NSA agents or CIA agents. There’s something using like public but not publicly available, but data available for purchase. So not private data. And I think that that, to me, that sort of really highlighted how, how much of our data is out there that we are not even necessarily aware of. And a lot of it a lot of that location data, from what I understand comes from apps that are kind of operating in the background where we haven’t necessarily checked the settings. And they’re just nonchalantly collecting and sharing our location data. So yeah, so either don’t download apps, or if you do download them carefully check the settings for them.

 

Justin Daniels  33:48  

So it’s fair to say what we’re really talking about is privacy is all about who you’ve decided to trust. Porsche Ah, there you go. So we always like to ask all of our guests a non security and privacy question which is Amanda when you’re not out doing your privacy security evangelizing for your company. What does Amanda do for fun?

 

Amanda Gorton  34:14  

Oh dear. Well, don’t be fooled out of time for

 

Jodi Daniels  34:22  

sure.

 

Justin Daniels  34:23  

Maybe it’s a quiet dinner with your co founder that would certainly qualify qualify. Nothing wrong with that answer.

 

Amanda Gorton  34:29  

I so if I if I ever do get downtime, my my my favorite thing to do is is read like a total nuke. If I can curl up in a quiet space with a good book. That’s that is. I don’t know. That’s my ideal equate Bender quiet Saturday afternoon.

 

Jodi Daniels  34:49  

We my co host over here would agree and our oldest daughter would agree as well. So Amanda, where can people connect? Gonna do and learn more? Where should we send them?

 

Amanda Gorton  35:03  

Yeah, absolutely. Well, you can always go to our website corellium.com. Or you’re more than welcome to reach out to me directly, either on Twitter, or LinkedIn. And it’s probably I should know my handles, but I don’t say well,

 

Jodi Daniels  35:18  

we’ll drop them in the shownotes. For anyone listening, they can go to the websites. But for anyone who might be actually only listening, LinkedIn, Twitter, go find Amanda Gorton, or Corellium there. Well, Amanda, it’s been so much fun chatting with you today. Thank you for joining and sharing all of the great work and views with us today.

 

Amanda Gorton  35:32  

Thank you so much. It was such a pleasure to chat with you both.

 

Outro  35:44  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.