Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:37  

Hi, Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:54  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our new book, Data Reimagined: Building Trust One Byte at a Time, visit

Justin Daniels  1:34  

Books been out now for what? The day three weeks?

Jodi Daniels  1:38  

That’s a true statement. Yes. It’s exciting to think that we’re actually published and authored and done. We’ve actually wrote a book and got it out into the universe. And we’re so excited to hear what you all have to say. But today, today, we’re going to talk about cool technology to help privacy and security programs. Cool.

Justin Daniels  2:00  

Are you going to introduce our guest?

Jodi Daniels  2:01  

It’s sure I’m going to introduce our guests. So today, we have Dimitri Sirota, who is an entrepreneur, investor, mentor, strategist and the co founder and CEO at one of the first enterprise privacy management companies, BigID. BigID is a data intelligence platform that helps manage data governance challenges, allowing organizations to get more value from regulated sensitive and personal data across their landscape. Proactively. Welcome to the show.

Dimitri Sirota  2:32  

Well, thank you, Jodi. Thank you, Justin, thank you for having me. Congratulations on the book.

Jodi Daniels  2:36  

Thank you. Thank you. Thank you. huge accomplishment. We’re, it’s been a fun October. October is the best month ever. It’s fall. It’s cool leaves. Sleepwear.

Justin Daniels  2:44  

What did my birthday be wearing this month?

Jodi Daniels  2:45  

Cybersecurity Awareness Month? Of course, it was national desert day. My birthday month. I mean, October. That’s my daughter’s day two. That might have been so far. The beginning of the month. I was

Dimitri Sirota  2:56  

daughters daughters and sons. They both they both happened October. So there you go.

Jodi Daniels  2:59  

There you gonna see best month ever. But let’s let’s dive on it.

Justin Daniels  3:04  

So, Dimitri, we’d love to start off and ask you how did your career evolve to founding BigID and I’d actually like to know how you came up with the name because that’s really catchy.

Dimitri Sirota  3:14  

Yeah, sure. So maybe I’ll start with the first part first. Yeah, so I’ve been in kind of the security world since I basically started working. So I originally studied did graduate work in physics. And then after I left, I worked for about two, three years in what was then kind of an emerging technology industry kind of around 9798 99. And I started, I only started working in 97, I graduated 96. And by 99, I decided I want to take the plunge and start a company. So I actually started my first company e tunnels in the network security space, helping these new emergent telcos that were kind of a big deal in 1999 2000, for those of those in your audience that go back that far. And, you know, back then they were introducing new high speed internet to replace dial up and they needed services like firewall services, VPN services, to connect offices and so forth. And so, I mean, a couple friends made the plunge. So that was my first company. You know, we we raise money had an office in Seattle and Vancouver. Didn’t reasonable, okay, loss of a while, but, you know, we hit kind of 2000 2001. And so I kind of veered away while they continued. And then I started my second company layer seven technologies, which focused security for API’s, long before anybody knew how to spell API. And that was, I think, 2003 2004. And, you know, we had some some cool years and some hot years and eventually exited that business in 2013. And I made my way from here. headed out to New York, I worked for a couple years, the company that bought my company, and kind of a corporate AV roll up. And I’m kind of acquire companies and security and met my co founder, who’s now in Tel Aviv. And we started thinking about the problem of how does DD data privacy? How does changes in the regulatory environment affect data security. And so that became the genesis of BigID in 2016. We went off and started the BigID, my third security company

Jodi Daniels  5:30  

sells companies. Well, we always say here the phrase, know your data. And when we talk about the, the idea behind BigID, and you take this proactive approach to really being able to help companies identify the sensitive data that regulated data and use it appropriately. How does BigID help companies solve for that? Can you share a little bit more in detail?

Dimitri Sirota  5:54  

Yeah, sure. So kind of the, you know, just announced about kind of the name origin. And kind of the big idea of BigID, if you will, was the fact that if you’re gonna be doing data privacy, or data security, or even data governance, for that matter, it all really starts with the data. And I think when we were kind of coming into the landscape, there already kind of tooling for privacy management, their ideas of doing it, but they typically started in different places, like, for instance, maybe with a survey, or a questionnaire. So there was always this proxy for knowing the data, right, you would rely on data recollections, instead of actual data records. And having been in security, the majority of kind of my adult life, we felt that for you to have truly kind of this notion of data protection, data integrity, you got to start with the data, that was kind of the big idea of BigID. And Justin, by the way, we were able also able to buy the domain, and it was nice and easy and catchy. And you’re getting lots of lots of things you could associated with like big ideas, and so forth. So but that truly was, is that there was a kind of a chain change of the changing of the guard in the data world, right, partly because of cloud and the move to the cloud, partly because of these new regulations over the horizon like GDPR. And that the old school ways, whether it’s in privacy and governance, or security of understanding your data of knowing your data, we’re not going to be adequate or satisfactory for being able to satisfy these kind of emergent problems. And so that is how we got started, we felt that you needed different kinds of technology to be able to sift through the volumes of data, the kind of the volume, the velocity, the variety of data you get in the cloud, and that the old school technologies that kind of suited enterprises, maybe in the 2000s, were not going to be suitable in the, in the 2000 20s, if you will. And so we kind of went off and started building in Israel in New York, technology that would basically be able to address the broader array of challenges, both privacy, security, regulatory around data. But again, the origin of it, the big idea was that we started with the data, we didn’t rely on recollections memories that are error prone. We started with the data. That was the that was the that was the big idea.

Justin Daniels  8:11  

So you found the company in 2016, and you’re a serial entrepreneur. So can you share with us a little bit about how building this company, you know, may have required some pivot pivots based on market or customer need? Can you, you know, share some ideas as to how BigID has pivoted and evolved?

Dimitri Sirota  8:29  

Yeah, sure. So when we started, we, you know, I think it’s always important, this is the thing you learn to having started a couple of companies and invested in a bunch of others as well, is to find a swim lane, right? Something that is clearly identifiable, a problem that people already understand that they have. And that’s something you could potentially own right, you could basically define a swim lane, it doesn’t have to be super broad, it just has to be something. And you know, when privacy when GDPR was just kind of Not yet Not yet enacted, but kind of over the horizon. One of the fundamental challenges on the data side around privacy was how do you identify data that belongs to a particular individual? Right? So historically, if you go back to the 2000s, data, data discovery, or no, your data tools are very focused on finding certain types of data. And typically in a data environment that existed in 2003 2004. So part of the technology kind of came was was kind of sprung from requirements like PCI, we’re gonna find credit cards, and then from their social security numbers, and you got to look at exchange, you got to look and you got to look in, you know, NET app, the things that existed in the 2000s. So obviously, those things still exist. But those the predominant data data landscape, fast forward to 2016 2017, we’re starting BigID the requirements are a little bit different. GDPR requires you to be able to locate and identify all the data, all the identity data belonging to an individual. Right, so Dimitri, what data does the company have on me? And then be able to look everywhere, right? Maybe not just in a file server, maybe not just in a SQL database, maybe not just in a email server, but everywhere because the regulators that were defining these regulations don’t know what HDFS is, or what a snowflake is, or what a data bricks is, they just said you need to be able to locate this data. So that requirement kind of led to BigID because we thought there was an opportunity to rethink or reimagine how organizations know their data based on identity, right? The ID and BigID, and that have never been done before. Right? You’d never really thought about you thought about, I gotta find credit cards, but you never thought about, I gotta find all the data belonging to a person. But GDPR and later CCPA, and other privacy regulations said, no, no, every individual has a right to access or delete or correct their data. And therefore you need to be able to locate all the data could be Clickstream data could be passwords could be IP addresses, cookies. And so we developed using kind of graph technology, which is a type of ML, something that we eventually patented in the US and Europe, new kind of technology to be able to kind of look across a vast data state, primarily in the cloud, maybe with a bit of hybrid cloud in the in the legacy data center, and locate all kinds of fragments of information that belong to an individual like, like Dimitri, and do it at very, very large scale, and maybe do like hundreds, if not 1000s of these a day, without kind of burning the system. So that was completely new. And that was the swim lane. We kind of defined this kind of identity graph, to solve for this data transparency problem that was inherent in privacy. And that’s where we got our start.

Jodi Daniels  11:37  

So on this notion of finding all the data and utilizing it to, you know, here’s all of Jodi’s data to comply with XYZ privacy law. There’s also a benefit for a company to be able to know here is all of Jodi’s information, obviously, without sharing any particular client names, but is there maybe a story where you can share how a company has utilized knowing all of the data in a in a positive way how it’s helped that organization, better know their customer, or utilize it from a positive value perspective?

Dimitri Sirota  12:11  

Yeah, so So knowing the data has a couple of couple of elements. So again, starting with personal data, right, so that’s where we kind of began that was a swim lane, because it was a very, very hard problem, it was kind of this, this notion that organizations were no longer going to be hoarders or owners of the data, they’re going to be custodians of the data. So you need to be able to look at the data and provide that transparency to consumers. So one benefit is obviously the ability to do that without weighing down an organization, as you can imagine, looking for the data everywhere takes a lot of resources, especially if you think about just the the variety of places where data can be kept. And some of it is documents and emails, there’s no way a human could wade through a lot of that. So one benefit is that organizations, we’re going to be able to deliver transparency back to their customers at scale. And their customers could be anywhere in the world because the technology we built was language agnostic. So it works equally in Japan as it does in the US. So that’s one benefit. But there are other benefits, right? If you find a data in places where you didn’t expect it, maybe data that belongs to a German German resident, or citizen that resides in you know, maybe turkey or some some other place outside of the EU or the US, maybe you don’t want it there, maybe you want to remediate it, like delete it, maybe you want to be able to move it. So there are other benefits in terms of how organizations go about kind of securing and dealing with the integrity of personal data by being able to know more about what data you have, where it resides and how it’s collected. So the way we built our technology doesn’t just provide that transparency, that kind of self service where we can locate all the data, it tells you other things about the residency of the user, what data resides in other kinds of territories. And it could help in other areas, right? It could help in things like Master Data Management, how do you create kind of a single record around that user? How do you make sure you don’t have redundant or unnecessary data? So you keep your data to a minimum, which is part of the kind of privacy by design ethos that was kind of introduced by GDPR. So there was a myriad of benefits beyond just the regulatory mandate around transparency around access and deletion to consumers that allow organizations to essentially be better custodians of that data. And of course, from there, we kind of layered on more and more, more, not just privacy data, but also security data, governance data,

Jodi Daniels  14:41  

as well. super fascinating. We really appreciate you sharing those examples. I think it’s important for companies to understand how tools can be used not just for a check the box compliance activity, but above and beyond.

Justin Daniels  14:54  

So now I think we’ll head to the cloud.

Jodi Daniels  14:58  

Your head is sometimes in the cloud. Okay. especially when

Justin Daniels  15:01  

we’re talking. But having said that, obviously, data migration to the cloud is one of the overall macro trends in business. And, unfortunately, data breaches and security concerns have followed their way to the cloud with Casaya, among others, and we’d like to understand better from your perspective, how BigID can help companies understand and minimize their cloud data risk.

Dimitri Sirota  15:28  

Sure, so BigID kind of from the onset was always kind of a cloud first company. We were built in the cloud, cloud native architecture and technology. We did support companies that had, you know, because we cater to large enterprises. So we supported companies that had kind of a mix of cloud and data center, but from the onset, we kind of you cloud is where most organizations are headed, if not 100%, majority percent. So a couple of things about the cloud that kind of make it challenging. So one thing is you can no longer hide behind this kind of false sense of security of add locks in your physical data center in New Jersey, right? Data is more exposed, it’s visible, it’s more fluid. It could be in a variety of locations, whether it’s an AWS, Azure GCP, SaaS, applications, code repositories. So data, frankly, is more naked when it comes to the cloud. And on top of that, there are more associated risks with the cloud, right? Whether they’re, you know, who’s accessing the data, or who has access to the data, whether it’s around kind of data replication and duplication, whether it’s understanding what data is encrypted or not encrypted or not tokenized, or tokenized. So there’s more kind of inherent risks in terms of how the data is shared, how the data is used, what kind of data so data hat in the cloud represents kind of a number of challenges. And so, you know, a lot of our customers, I would say, the majority of our prospects today, are are leading with cloud. And again, they’re they’re looking at technologies to help them understand what do they have, right, that situational awareness around? What data do I have? Is it regulated data? Is it? Is it intellectual property data? Is it personal data? And then what is the associated risk around that data? And that risk can be based on the sensitivity of the data? Right, as a top secret as a secret is GDPR? The risk could be basically is the is the data kind of in the wrong place? Right? Did it cross a border, there’s a lot of data sovereignty regulations. Right now, there’s data residency requirements, in many cases, there’s data access requirements in terms of insider threats, and credentials. And so understanding kind of the what data you have, and the associated risk becomes the founding kind of principle of how companies like BigID help organizations in the cloud, by letting them kind of mitigate that risk, right? Once you know the risks, once you know the data. And then also being able to layer on more controls, whether they’re access, you know, third party sharing, to, again, provide a more complete umbrella around security for data in the cloud.

Jodi Daniels  18:14  

I’m gonna ask you to wear your crystal ball, or not where your crystal ball find your crystal ball? Where are you? With your crystal ball, but I obviously decided that there’s just a new concept. Why

Justin Daniels  18:29  

don’t you ask her to put on as Mr. Thomas costume that was clean? Yeah,

Dimitri Sirota  18:34  

we’re gonna go as a crystal ball. There you go.

Jodi Daniels  18:36  

So people are always asking where do we see privacy going in the next three to five years? So in your, your point of view? Where do you think and as I’m going to ask you a two part question one, you know, any insight, your just your opinion on the regulation side, but also where you think companies are from the maturity perspective and where they are evolving with their programs?

Dimitri Sirota  18:59  

Yeah, so I can talk about the maturity and then I’ll talk about kind of where I think it’s going. So look, I think most companies have something right. And it’s not like they didn’t have anything for the last kind of 10 years. They typically have process, whether it’s kind of built on spreadsheets, or built on some type of programmatic activity. More recently, I would say over the last kind of four or five years and privacy specifically, they bought some type of GRC tooling. Now, yeah, the GRC tooling may not extend back into the data, it might provide this kind of proxy for the data based on questionnaires or surveys, but there was at least this kind of replacement of spreadsheets with some other types of product. And I think now we’re going in through to a third phase where people are realizing the primacy of the data and the importance of the data. And so they’re looking for end to end automation that begins with an understanding of the data and then extends to whether it’s privacy reporting for pas or TIA As a robot, or this idea of kind of self service, preference management, data access management, etc. So I do think that right now we’re kind of in this third phase, where organizations, some are looking at end to end automation, and beginning with the data. And that I think is a is a good lead into kind of one of the bigger trends we’re seeing is that more and more organizations, whether it’s in privacy, alone, or whether it’s in combination of privacy, and data governance, or privacy and compliance, or privacy, and even security, as, as you guys kind of represented on this podcast, people are realizing that that data is at the center, right. And contrary to what you know, the world may have looked like kind of 578 years ago, your privacy data is just one kind of data you have it’s a lens into your data around people data. Security is a lens into your risk data, governance is our lens into your metadata. But at the end of the day, data is at the center, and it’s the same data. And data has two kind of aspects to it. It’s kind of Janus phase, the sense that it’s got a risk aspect to it, it’s got a value. Most organizations, the things that most CEOs care about, they should care about both but they but a lot of CEOs care about how do I how do I get more money for my data? Right? How do I extract value? Right? How do I empower my data scientists? How do I empower my my marketers, but you want to do that? Well, at the same time preserving privacy, right? Because that’s, that’s regulated, and and reducing risk, right, whether it’s exfiltration risk, whether it’s misuse, risk, mis access, risk, whatever insider threat risk. And so I think most organizations today are kind of tasked and this is kind of the trend we’re seeing is that you no longer see silos of privacy. And then you could kind of go with them, and they don’t care about security. Or conversely, you don’t just see data governance, more and more organizations see data more holistically, they see data as having value, they see data as having having risks, and they want to be able to understand the totality. Now you may still have organizationally, windows into that data, right? Privacy professionals care about reporting to the DBAs regulators. They care about kind of preference management, self service to the consumers. Security professionals may care about a few other things in terms of vulnerability and risk mitigation. But again, they’re no longer detached, just completely separate silos. They’re operating on the same subject, which is the data that again, increasingly kind of powers, the digital enterprise. And so that is one trend is that just like on this podcast, where the two of you are co collaborating from slightly different angles around security and privacy, increasingly, you see security and privacy, data governance in the same room, talking about what they want to get out of data, but also how to you reduce the risk around the data simultaneously.

Jodi Daniels  23:01  

I agree, we can all be friends, we all need to work together. Are you laughing at me?

Justin Daniels  23:02  

I’m thinking about putting that crystal ball in my head with the fish. I think you said Okay, great. Okay.

Dimitri Sirota  23:14  

Don’t take my Halloween costume.

Justin Daniels  23:17  

I think he would actually there was no stir Dominus. There you go. I’ve helped you out. Okay. So, Dimitri, what is your best personal privacy tip, you’d offer friends at a cocktail party on Miami Beach?

Dimitri Sirota  23:33  

I don’t know if I’d be doing a lot of privacy conversations on a cocktail party if I have a beef, but I’ll do my best to share it. So. So look, I don’t think it’s kind of the mantra that I’ve been kind of sharing from the get go, right. I think in this day and age, just like spreadsheets are kind of antiquated to do any kind of privacy program. I think relying on recollections of data is also represents risk, right people, I lose my car keys, I lose my sunglasses all the time. And I’m sure some of the people at the cocktail party in Miami Beach have lost their sunglasses as well. And if people can’t reliably recall where they put their sunglasses, they’re not going to recall where they put their data. So I think the kind of mantra big ID is always about start with the data. Right? The data represents kind of the value and the risk. That’s where you need to begin. If you truly want to have an impactful way to make a difference around privacy programs, security programs, data governance programs.

Jodi Daniels  24:32  

So when you are not building a Privacy software company, what do you like to do for fun? You know what I mostly

Dimitri Sirota  24:39  

still look now that I live in Miami, which my wife insisted on us moving to last year. You know, when I travel most weeks I actually like to decompress sometimes with a cocktail party in Miami Beach. But I also like to read you know, I was at the beach one day I was at the pool the other day, this past weekend and You know, one of the one of the great joys maybe as you get a bit older is the opportunity to read, you don’t have to do it for marks anymore. And and yeah, you get, you know, I have 365 days of great weather. And so I would probably say my favorite hobby outside of cocktail parties at the beach is reading at

Justin Daniels  25:17  

the beach. Maybe we have a book to add.

Dimitri Sirota  25:22  

Check it out, I’ll go to Amazon right after this.

Jodi Daniels  25:24  

There we go. Now, where would the best place be for people to learn more and connect with you. So look,

Dimitri Sirota  25:31  

BigID, always a great place. So is a terrific place to learn more about about us. And I think there’s even a way for you to connect to me. We also have a new offering called SmallID, which is this kind of on demand version of BigID that simplified for companies that want to start smaller before they go big. So whether it’s, or They’re both great, great places to begin their kind of privacy security cloud journey.

Jodi Daniels  25:31  

Well thank you so much for your time today. We really appreciate the insight that you shared. We know a lot of companies will gain tremendous value from it.

Dimitri Sirota  26:09  

Thank you guys for having me.

Outro  26:15  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.