Privacy and Security Precautions for the Cloud

Intro 0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:22  

Jodi Daniels here I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:36  

Hello, Justin Daniels here I am a corporate attorney who focuses on technology and I’m passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I’m the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

 

Jodi Daniels  0:57  

And this episode is brought to you by fun, Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e commerce, media, and professional services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com.

 

Justin Daniels  1:34  

Where do you start? I think I look a lot better in the video freshly cut here.

 

Jodi Daniels  1:40  

It’s true. The COVID haircut is is the thing.

 

Justin Daniels  1:44  

You’re going to introduce our guest today. I’m excited to have our guests today, because now we’re venturing into the

 

Jodi Daniels  1:50  

cloud, your favorite topic,

 

Justin Daniels  1:52  

it’s one of them. So we have with us today Tommy Donnelly, who is the CIO and CISO of BetterCloud and is the thought leader for the future of digital transformation in cybersecurity. And as a cliff note, BetterCloud has some great swag, since Jodi has many of their hoodies that she wears regularly.

 

Jodi Daniels  2:11  

I love the hoodie. Thank you BetterCloud marketing. Everyone loves the hoodies. They’re awesome. Well, Tommy, welcome to the show. I’m glad to be here. So tell us a little bit about we always ask everyone kind of how you got here. So share a little bit about your career journey that led to BetterCloud.

 

Tommy Donnelly  2:33  

Yeah, sure. So I’m, I’ve been a CIO, for probably like 12 years, at different companies really love technology, and security. Those are my passions. I wanted to get into an industry that was really focused like a product focus on things that technologists use our security people use, found BetterCloud, I met with David Politis, the founder of the company, and he is amazing. And I really loved the vision of what the company was doing as it relates to it, and enabling and elevating it and security teams.

 

Jodi Daniels  3:08  

Well, that was a fun journey.

 

Justin Daniels  3:12  

Tommy kind of diving into our metaphorical cloud. Since it is one of the three major seismic shifts that we’re having in business. Every company moving to the cloud, what are the privacy and security risks that companies need to consider?

 

Tommy Donnelly  3:31  

Yeah, there’s a lot and and I feel like we have a long way, on our journey to really getting like a standardized, strong framework for securing and governing SaaS applications, you know, you can do research, you know, people kind of talk about different aspects of what security and it challenges that these, you know, manages these applications have, but there’s just really not that much. And people were really kind of unsure, like, everything you need to do to really secure those applications. Things that we really see are challenging, from our standpoint is Do you even know about all the applications people go in, you know, departments go rogue and sign up for applications? You know, do you know who has access to those, you know, applications? What data are you storing in those other applications? And whom is that data sharing? Those are really, you know, the things that a lot of people just don’t have complete visibility into. And you just really as a security or IT team need to understand the purpose of those applications, so you can design the appropriate security measures. So those things are, are huge. It really, really puts a lot of pressure on vendor management. It becomes huge, you know, making, you know, trying to figure out like, we’re not only concerned with the company that we’re we’re buying from we’re all also secure, you know, we’re worried about the companies that are part of their infrastructure. And so that chain of trust is really, really hard to get with third party vendors, as you probably know, as a lawyer.

 

Justin Daniels  5:13  

So Tommy, I’m not I wanted to ask you a follow up question. So I work on a variety of transactions now with SaaS providers, and or, let’s say, your customers, and what are some of your expectations about the security hygiene of your customers, however, using MFA, because now that they’re connected to your cloud, if they’re not doing the right things? Hey, we’re all kind of connected. And that impacts you? So what’s the degree of kind of diligence when you’re looking at customers? And what are they doing?

 

Tommy Donnelly  5:43  

Yeah, it’s, it’s, it’s a challenge in the industry. Today, it’s kind of solved by just these, you know, 100 Page security questionnaires. And you’re really kind of getting a marketing answer for trying to answer those questions around, you know, how is everything behind MFA. And in ultimately, there needs to be a shift in the industry to create more transparency so I can understand your security posture and understand where your security ends, and ours kind of picks up. So what we really oddly look for when we’re getting new vendors is we want that transparency, you know, because usually, you can work around challenges, and work around like security challenges with that company. But if you’re not getting that transparency, and you if you don’t understand their security posture, it’s hard for me to kind of do business with those organizations.

 

Jodi Daniels  6:43  

Tommy you hit on something that I see all the time, which is that, it’s very hard to know where all the data is. And different people, the IT team might think these are all of my systems, they’ve done all the diligence that you’ve just talked about. And yet, as you mentioned, other parts of the company might go rogue, and the marketing team goes and finds their favorite application. And the HR team goes and does the same thing. How does BetterCloud help companies address privacy and security issues with this data all over the place? And all these different SaaS tools? Where does BetterCloud come in?

 

Tommy Donnelly  7:18  

Yeah, so I think the number one thing is just knowing all the applications that you have in your ecosystem, you know, if marketing signed up for another applications that you weren’t aware of, and so we do have a product that scans and gives you a list of all the applications that you have in your ecosystem. And every time we do this, we ask people, I mean, it’s like clockwork, every time we ask somebody, like, how many applications do you have in your ecosystem? Most people will come back with an answer of, you know, 20, to 30, to 40. And in reality, it’s usually hundreds, it’s, you know, two 300 applications that we’re really seeing in these company ecosystem. So I really think like visibility is the first step you can’t secure what you don’t know about. Number two is, do you do the right people have access to these applications? And are you only provisioning the people that need access to these applications, and this is where automation really, really comes into play, you know, BetterCloud, we allow people to like automate your onboarding and off boarding, depending on your role. So that’s something that happens systematically, you know, it easily ties back into your compliance needs. If you’re doing that manually, you’re gonna find places to where it was missed, you didn’t know about applications, you didn’t know that somebody was added to an application. So I think that really, really focusing on automation to ensure compliance is is the way to go there, especially when you have hundreds of applications. And I think that the third thing is making sure that people don’t accidentally share data. And speed matters with that. So if you have sensitive data PII shared with third parties, and it wasn’t supposed to, you know, that could constitute a data breach. And so with BetterClouds product, we scan your data will tell you what was shared with third parties, and then you can actually automate the remediation or uncaring of that data. And you really want that to happen and, and minutes and hours, you know, not days or weeks, because there’s tons of people that are publicly scanning every, every shared piece of data on the internet to gather information about people, you know, and that’s happening. 24/7 365 So, you know, the ability to automate and automatically resolve those issues is

 

Justin Daniels  9:53  

huge. And of peeling back the layers on that Tommy, so what is important for a company to consider when purchasing and using tools like BetterCloud, so it’s effectively used in the company.

 

Tommy Donnelly  10:07  

Yeah, what I always try to do is companies, you know, from a security and it standpoint, people really have to take an automation first approach, to systematically manage things just because of the tech sprawl that’s happening. You’re not, you’re not building sustainability. And it’s really hard to ensure and govern what you’re doing without automation. And so I think that these teams that have typically been a little bit more reactive, and how they do their job have to be proactive, have to automate, they have to change the skill sets to have those people that can automate things, to successfully manage these types of infrastructures. Is there a,

 

Jodi Daniels  10:52  

you know, someone’s listening I, we have an audience of small companies, to big companies, is there maybe a sweet spot for where or when a company should realize, gosh, I should probably start putting in some of these scanning like tools that we’re talking about?

 

Tommy Donnelly  11:10  

Yeah, I mean, I would say that, from a smaller company, like some of the main things that you want to do, or when you want to start doing this, I think it’s important to build a culture where you are thinking about this things and all aspects of the company, from from day one. So when you don’t, from from, from what I’ve seen from BetterCloud, from day one, we had security and, and privacy kind of built into every single process. And we have this culture of security. And so every new security person that’s come to BetterCloud has been like, Wow, I can’t believe you know, the amount of security we have for a company this size. And I think that building that in, especially into the product, and the engineering departments, not only like you see security, you know, with DevStack ops, you see security kind of built into development teams pretty early in a company’s lifecycle now, but you don’t see that from a privacy standpoint. And so a lot of times, they’ll just be a lot of it kind of prevents companies from going out market. Because when people dig into those applications, and they realize, hey, we can have this, we can have this, you know, there’s an administrator that has access to this data. But somebody else can run a report that provides that data to somebody that shouldn’t have access to that data. You know, you see that kind of thing a lot and kind of early stage SaaS companies. So from my standpoint, it’s really just building that into the engineering process and building security, and every single process of the organization.

 

Jodi Daniels  12:59  

I think that’s really awesome advice to company that starting out to really understand it’s so much easier to do it right at the beginning, and to continue to build that culture and not just from the development side, but throughout the whole organization. So thank you for sharing.

 

Tommy Donnelly  13:16  

And it’s those companies, it’s really, you know, a security team can’t understand every single process, every single thing that every single department is doing. And so people just have to understand how to, you know, it’s their job, people need to understand it’s their job to understand how security and privacy apply to their specific roles. And, you know, create a culture where they’re going to report like, Hey, we’re sending files like this, this doesn’t seem right. Like, it doesn’t seem like this is the most secure way to do that. And so they can know to bring those things to the security team. Because companies are so dynamic today. It’s just impossible to keep up if you don’t have that type of culture.

 

Justin Daniels  14:03  

So Tommy as we talk today, in 2022, in January, I’ve been immersed in things like web 3.0, Blockchain. So much technology is changing so quickly. So in light of that environment, what are the biggest privacy and security challenges you think companies face as we talk today?

 

Tommy Donnelly  14:27  

Yeah, today, I mean, really understanding those new technologies, and what type of data is going to be affected by those technologies? Understanding all the new regulations that are in requirements of regulations that are coming out in the world, as the world changes, like those are some of the largest I think, problems in challenges, especially with smaller and medium sized companies. It’s really, really tough to keep up with Those regulations.

 

Jodi Daniels  15:02  

You mentioned something earlier about the vendor management piece. And so as we’re talking about, it’s a challenge for the small companies and knowing the vendors is really important. What advice might you give to that small company? As they’re building their vendor ecosystem?

 

Tommy Donnelly  15:19  

Yeah, I mean, I think it just goes back to trying to encourage transparency and understanding what were those vendors security, what they’re in charge of, and what they’re responsible for, and getting those assurances that they can manage those assurances. And tying that back to our own our own systems and what we’re responsibility, and really understanding where their responsibilities and and and ours kind of pick back up, I think, is probably the number one thing, I think that a lot of people think like, Oh, it’s on the cloud, they’re gonna handle everything is secure, because it’s on the cloud. But in reality, there’s just so much things that you have to do to make sure that things are configured properly, to make sure that the type of data, you know, if they’re compliant, we can store certain types of data on that infrastructure. You know, there’s things that you have to do. And you just really need to understand how those applications are getting used. So you can build those systems to secure this applications.

 

Jodi Daniels  16:23  

Our heads, were nodding, because we hear all the time well, it’s on the cloud, it’s fine. I, I don’t have to worry anymore. That’s that’s definitely I don’t I don’t have it, someone else has that it’s fine.

 

Justin Daniels  16:32  

Every day, thanks. Well, if I use AWS or Azure, I’m, I’m done.

 

Jodi Daniels  16:36  

Right, you’re all done.

 

Justin Daniels  16:40  

I assume is one of the really interesting things that makes BetterCloud so attractive as you offer all of these additional services and tools to help people manage privacy and security.

 

Tommy Donnelly  16:50  

Yeah, and, and, you know, to me, is all about, it’s unmanageable, it’s getting to the point where it’s unmanageable. I mean, you have a small team, you might have, you know, in a smaller company, you might have three or four IT people, you might have four or five security people, but it doesn’t change the amount of SaaS applications that smaller companies are used, you know, we still see smaller companies, you know, with hundreds of applications. So it’s just really taking that automation, first approach is just critical to even having a chance to be able to secure these things.

 

Jodi Daniels  17:29  

Well, as someone who spends a lot of time in the privacy and security space, what is your best personal tip, if you were at a cocktail party, that or an outside cocktail party these days?

 

Tommy Donnelly  17:44  

Can I go can I be in plus one. Love to, yeah, I’m going back to it, learn to code. That would be my almost my tip for most roles, and a SaaS organ in a modern company. You know, even in from a privacy standpoint. I’ve built almost every new hire that we have, and security and even in the privacy and governance, you know, aspects of what we do, we’re always looking for that capability. And people taking that approach of that we have to automate things, to build that sustainability. And it can really elevate the amount of security and privacy that you get in the maturity of a company if you’re able to automate things. So I would say that the best people in those industries are automation heavy, now how to code, you know, know their way around the database. Those things will make them massively successful.

 

Justin Daniels  18:46  

Jodi can be a girl who codes.

 

Tommy Donnelly  18:50  

that sound horrifying to you?

 

Jodi Daniels  18:52  

No, I always kind of fun to see what people say, I think so far of our unofficial poll MFA might be the leader so far that we get when we always ask this question in terms of text, but that’s the idea is we ask people, and it’s whatever you believe is going to be a best tip.

 

Tommy Donnelly  19:14  

Yeah, as far as securing Yeah, we agree with the MFA on everything is kind of non negotiable.

 

Justin Daniels  19:21  

For sure. You can join our official poll. So when you’re not building BetterCloud into an amazing company, what do you like to do for fun? Yeah,

 

Tommy Donnelly  19:36  

I mean, first and foremost, I enjoy being a dad of two twin boys. They’re eight years old, and they are a handful and probably occupy most my time. I also love to travel. I love modern art. I play a lot of soccer, and I just like to dabble in technology and try to build my own kind of applications. Using new tech tried it Try to keep me a little, you know, still have some technical skill. I know that you start losing that after three or four years as a manager, but at least know, you know, enough to speak intelligently to my employees.

 

Justin Daniels  20:12  

So does that mean you’ve gone to open sea and bought your first NFT? I haven’t fallen in nft yet. No comment on that one. All right. We’ll have to share with you on that.

 

Jodi Daniels  20:23  

Well, Tommy, thank you so much for sharing all this amazing information. If people want to connect and learn more about you, or BetterCloud, where would a great place be to go?

 

Tommy Donnelly  20:34  

Yeah, definitely connect with me on LinkedIn or just shoot me an email thomas.donnelly@bettercloud.com. I’m always happy to talk to people, you know, talk to a lot of different people about different subjects around IT and security and love collaborating with other technologists and security professionals.

 

Jodi Daniels  20:54  

Well, thank you again for sharing your insight with us today. We really appreciate it. Thank you.

 

Outro 21:04  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.