Navigating the Data Maze - Brian Cherry - Guardians of the Data - Episode # 43
GOTD - Brian Cherry
===
Speaker: [00:00:00] Welcome to Guardians of the Data. I'm your host, ward Balza. Each episode will explore the passions, expertise, and real world experiences of security leaders who are helping the future of data security and governance. Guardians of the data is made possible by support from Centro. To learn more about our AI powered data security platform, please visit sentra.io.
Let's dive in.
My guest today has over 20 years of experience in cybersecurity. During this time, he's worked within multiple industries and teams such as security operations, GRC, and identity and access management. Currently a global director of information security, Brian Cherry, welcome to the show.
Thank you. Thank you. Appreciate. Thanks for having me. I look forward to- Absolutely ... the conversation and what we can uncover. Ugh, looking forward to this. So Brian, in your professional opinion, what's the biggest data security challenge organizations are facing? Goodness. Um, the [00:01:00] biggest, right? And so- The biggest
there, there's a lot of, I, I would say, tips of the iceberg that exist, and there's a lot that's underneath the water that, um, that we may or may not know about. But you, you really have to put yourself in kind of a investigative journalist mode, um, and ask the questions of, specifically when we're talking about data, you know.
So what data is it that is to be protected, if we're talking data specifically? Um, second question, where does the data reside? And the, the question then that you have to, the, the subsequent question on that one is, have you looked everywhere? 'Cause I, I, I almost guarantee you that you haven't. But, but now that you know it's not where you think it only resides, w- how do you identify what is, where it is?
Where does it [00:02:00] exist outside of where you thought it should? And then really the last, the number four question, it, and again, all of these can be their own rabbit hole. But- Mm ... who's supposed to have access to the data versus who already has access, and how did they get it? So I, I, I say all that to say data sprawl and loss of control over the, I'm gonna air quote, "the data."
So where does it live? How does it move? And who, who can access it? And it's not just you or me, but now we've got AI that is interpreting or accessing or... So I feel like just data in general, of the problem of solving of wh- what is it, where's it at, and who has access to it? Man, I f- I feel like you just summed up my entire career just in, uh, [00:03:00] in that statement, Brian.
I think, uh, yeah, yeah, that's, that's big. And I, I think what's scary, I mean, it's not surprising, but it's scary, is a lot of organizations can, still cannot answer some of those questions. Oh, yeah For sure. Um- And you know- In fact, I'll take it a step further. I think I'll take a step further. A, a lot of organizations aren't asking those questions yet, which I think is even worse.
You know, it ... I think they may ask of security, or they assume of security that security is protecting the data. Well, security may have asked the question of like, "Well, what data?" And they're like, "Oh, well, it's right there. It's in, it's in my home directory or, or whatever." And they're like, "Yeah, you're good."
But what, but what people don't realize is it's, it's moved. It is no longer just where it's supposed to be [00:04:00] because that includes ... Well, the question would be, do you have a smartphone? Are you accessing it on your phone? Is it in your email? And now you gotta look at the controls that exist that ... I mean, it's, it, it's, it's like a ball of string that's got multiple ends sticking out of it.
And so the question is you pull on one, it unravels, but you still have a whole ball with all these little pieces, and you still have to pull at all of them, um, to get to the, to, I, I'd say to the root of it. But in each one, like, like I said, each one's its own rabbit trail. I, I, I agree. And, and I, and I took notes of the ones you said and, and yeah, all, all good questions.
I mean, they're all questions I've definitely when I've joined organizations that I've asked. And I think ... I mean, you didn't specifically say it, but, uh, I feel like you were saying it without saying it. Like, those are all questions you ask, but you're gonna ask them [00:05:00] of various people, teams, departments, whatever, like.
Oh, yeah. Yeah. E- even your rabbit holes have a- rabbit holes, right? Of course. Oh, yeah. Oh, yeah. Oh, yeah. Well, and the thing is, you're, you're, you're asking different people, you know, what's, what's the important data to you? So- Right ... you know, finance has got, well, our, we've got our strategic financial planning that's three years out.
Well, that's important to us. And then you've got the, the, the development team who's got access to, you know, PII. Well, that's important to them. And then you've got the intellectual property team who says, "Well, that's important to us." So yeah, you have to go to each of your business units, each of the, to different areas and say, "What is important?"
And, and then you have to go through this whole, the whole spiel all over again. You have to pull it apart. You have to explain why you're there. You have to ... Yeah, you do all those kind of things to, to [00:06:00] get to, all right, you know what your data is, and you know where it's supposed to be. Now how do we identify if it exists elsewhere?
So- Right ... y- yeah. I mean, there, there are some of these that- Yeah. They're, they're, they're pretty on target. They know what, they know what's, what's going on. Then you got others who, like, I, I don't, I, I, I don't know, right? And then now you really, really become, um, partnered at the hip to, to help them solve the problem. what I've always liked is having those conversations. You get kind of the answers, here's what we have, here's what we create, transmit, transform, whatever.
Um, a- and then you kinda do a discovery, either manual, scripts, tooling, whatever. And then it's like Survey Says, guess what? You now have this other data. Did you know? Oh. Oh, my goodness, like, no. Where'd that come from? And there's, there's another rabbit hole, right? You got no, no... You know, again, our, our rabbit holes are becoming infinite at this point, where you're going.
So [00:07:00] kind of bringing it all back, Brian, a lot of what I'm hearing you say up front is communication, right? Sitting down, chatting, stakeholders. Any tips or tricks from your, your past that you've used or whatever that, uh, our listeners might benefit from? you have to go in, um, in terms of the, the individuals that you're working with or trying to assist, and, and you almost have to act... I'm gonna, I'm gonna say it, but you almost have to act dumb in some cases to say, "I don't know what you do." Maybe you do. You know, you, you know, you're like, "I don't know exactly all the data that you have.
Help me understand so that I can do, b- you know, security stuff." Right? 'Cause they don't need s- they don't need, they won't care, um, or don't really care. Are you gonna talk about data loss [00:08:00] prevention? You're gonna talk about this control or that control? Most of the people that you're gonna be talking to won't care whatsoever.
So really- You've gotta care about what it is they do and what it is they either have access to or the data that they may produce in, in the job function that they, you know, perform. Um, so yeah, you're asking questions and, and, and that's... I think that's the, the main keys, right? Can you ask a intelligent question?
Can you ask a question that either makes the other person feel like, "Oh, I'm, I'm really here helping you," instead of Brian here helping them, right? So they're trying to educate me, and they're trying to bring me up to speed. Um, so I've always felt, found that kinda going in as a [00:09:00] non-expert of anything, um, allows them to be disarmed in a way, and allows them to kinda be like, "Oh, let me help you gain some knowledge," or, "Let me help you...
Let me explain something." So to me, that's, um, really the, the first part. Um, the second part is you gotta be able to put a- and I called it that investigative journalist kind of hat on, that just s- ask the question why, why, why- ... why? Or, you know, maybe, maybe the, the th- the third why is really explain it again or, or something.
But, um, you... They're gonna g- deliver some nuggets, and you've gotta be able to pick out what those nuggets are and what do, and what do they mean. Um, and then the last part is you've gotta be able to say kinda like, "Hey, let me make sure I got this right," by saying, "You're talking about this. You do [00:10:00] X, you do Y, you produce something else, and it sits, you know, on this server or in this cloud or somewhere."
Um, and then really make sure that they go, "Yes, that's exactly what we do." Um, maybe they'll thank you for listening, uh, or for understanding. Uh, but at the end of the day, you, now you can, now you have somewhat of a game sheet. I, I won't say a plan because you don't know all the, the ins and outs of, well, how are you gonna go find that data?
But at least you have a starting spot. I like that. I like that. And I like the idea of the investigative journalist. Um, you know, I've certainly played that role a few times, and I've done the why, why, why. Like, "We do this why? We do it this way why," right? You just keep going. It's almost like, you know, I've, I've got a five-year-old, right?
So it's almost like a five-year-old asking, "What do I do and why do I do it," right? And then at the end, you, [00:11:00] you k- you kinda question yourself, "Well, that's a good, that's a good question. Why? Why am I doing that?" Um- For sure. And, and, and what I just ... So while you were kind of going through that and talking about investigative journalists, I, I, I was thinking,
today's day and age, AI, right? AI this, AI that. But I'm actually thinking about a good usage perhaps of AI as you were saying that. There's these AI note-takers everywhere, right? Like, you can even buy a pen now, right, that you turn on, you sit down and have a conversation. It's gonna record, and then it's gonna put all of that into, uh, you know, speak to text essentially.
And I'm wondering, I've never done this. I'm sure I'm not saying anything new. I'm sure people do this in consulting all the time. But I feel like you could do that, right? You could have a real conversation, do all that journalist thing, let AI record it all for you. And now as you're building out [00:12:00] your repository of information that you're recording, you can almost now have AI tell you back, you know?
Right? All these conversations, all these people, who are they, what do they do, how do they intermingle, what's their data? And, and hopefully get some sort of readout that makes a little bit of sense. Yeah. I mean, I, I, I see no concern with potential note-taking, right? To, to- to- Other than putting all sensitive data right in there, right?
Like- Right. Yeah ... we're protecting data now we're putting in more data. Well, and I, and I think, you know, uh, uh, there's, there's the, there's, there's ... We've seen it where AI is helping large data models, you know, produce something that a human would have never seen, you know, looking at line by line, right?
And I think we see a lot of opportunities there. Um, but you just took all your [00:13:00] sensitive data and told AI, "Hey, find me that needle in the haystack." Yeah. Well, well, whose model did you just use? Where did you just put that data? Who, who just ... Who, right, which, which agent, which AI just read through all of that and it's out on the web now?
Yeah. You, you got a blueprint for your entire organization out there. Yeah. Right. And so I think, you know, from a security perspective, we've gotta be able to, you know ... We, we've gotta, one, partner with the organization to understand, hey, these departments are using AI. Great. Love it. But security has to have, be one step ahead that says, "We're also heavily invested in using AI, not just to make things easier, but to help the [00:14:00] organization-" Um, not step on their own toes, right?
By, because if you've gotta, I mean, again, we all know controls are part of the life of a security professional. You've gotta have those pieces in place. You've gotta have, you know, building block A, B, C, and D to really make the, the chain solid. Um, so AI controls are j- are the same, and how are you identifying the data that's going to one of these AI, um, you know, engines?
And is that your important data? Should it be going there? Um, so I think that's a, you know, those are questions that have gotta be a- asked. Again, you've gotta investigate these things to go, "Hey, business, what are you doing? How can I help? Hey, let me, let me explain," right? So you're, man, you're, holy cow, you're like a, um, a counselor on so many levels of, like, [00:15:00] I'm the, I'm your tech counselor.
You know, I'm, I'm your part- your business partner counselor. I'm your, ah, you probably shouldn't do that counselor, you know? Right. And so I think there's a lot of, lot of pieces that we, a lot of hats that we pl- wear at the exact same time to understand what's going on, but at the same time educate what's going on.
Totally agree. Totally agree. I, I wanna go to ano- another one of the, the questions that, that, uh, that you mentioned earlier to ask, 'cause I think it's a very interesting one. So we were just talking about, right, talking to business, talking to people, getting those questions answered. So one of your questions you identified was, have you looked everywhere?
Yeah. Right? And definitely a valid question to ask of a person, have you looked everywhere? And I think you're going to get an answer. Uh, maybe it's a, a shoulder [00:16:00] shrug or I think so. So I mean, here's another one of those rabbit holes we're about to go down, but I think it's okay. If you ask someone, "Have you looked anywhere?"
I feel like there's a trust but verify component to that, right? Sure. Like, cool, I got an answer from you. Maybe it's right. Maybe it's not. Maybe it's a half-truth. What, what do you think? Like, where, where should folks go to actually, or how can they start to hopefully crack that nut? 'Cause that's a big one.
That's probably the biggest one of all the ones you mentioned is have you looked everywhere? Yeah. The, the situation of looking, you know, precipitates the fact that you know what you're looking for, okay? Um, and if you are in an organization that does, I, I'm gonna say a very narrow- Type of something that's [00:17:00] super easily identifiable, then yeah, maybe there are some, some technologies, some tools that can go across every data file looking for, you know, whatever that, uh, combination of letters and strings might exist.
But if you are healthcare and credit card, PCI, and intellectual property, and something else, trying to pull all four of those different data types, when I, when I say type, right, I mean, you know, PHI being a type, um, never mind all the, the, um, attributes within that type. But trying to find where that exists, there's, I've had a really, really hard [00:18:00] time with different technologies being, uh, being successful at doing that, not just at, let's say, an egress point of email or, you know, some sort of, you know, web interface, but now I wanna go look on laptops, and I wanna go look on, you know, the thousand servers we may have, because stuff moves.
Now, how do I identify th- that file that was, it started out as an Excel file that had columns and rows that then get translated, transferred into a Word document that contains some of that. Now, you know, how do you do that? Some vendors say they do it better than others. Well, of course they do. Um, but I, I think that is, you, you, that is the hardest nut to crack, I think, in, in [00:19:00] this whole where, how to take what you're looking for.
I know what I'm looking for. Here it is. And then go look for it using what? Because I can tell you, I've not had really, really good success at all with using regular expressions and, you know, keyword searches. It, too many false positives, too much noise, and- Oh, yeah ... you know, it just becomes way harder than the actual, we found something, now what do we do?
Well, a- and also, where do you look, right? I, I think that's so, 100%, right? What am I looking for? We Yeah. establish that. How do we describe it? You know, keyword, right? I mean, all of that aside, if you had the perfect way- Sure ... to describe it and locate it, I think then we have the age-old problem, um- You know, shadow IT is, is the common term for it.
But I, I like to break it down, right? What is shadow IT? Well, there's shadow SaaS, there's shadow, [00:20:00] you know, devices, e- even shadow data is a real thing, right? Oh my goodness, we forgot we had that data sitting over there. It's 30 years old, what the heck? Um, but shadow IT is such a big problem, especially with data repositories, on-prem- Yep
new cloud environments. You've got a, a, a cloud architect that stands up a new S3 bucket, doesn't tell anybody. Now there's some data in there. Like, just gets crazy. So... And then that's, that's where I often would have the problem with the business. Like, they, they could tell me, "Here, here's our data, here's what it is.
Have you looked everywhere?" You know, "Oh, we've got this, this database and this application." Well, they might not know, yes, but you also have that in staging and non-prod and, oh, by the way, you got a backup over there. And it just, it gets crazy, right? The pl- proliferation of, uh, of technology. So, uh, uh, and you've been, you've led a lot of different teams [00:21:00] in your career.
So I- I'm curious, let- let's, let's go to shadow IT a little bit. I mean, it touches shadow data. Any, any thoughts or tips and tricks for our listeners on how to, you know, maybe get your hands around, uh, a little bit of the shadow IT problem? Well, so if you're thinking around the data problem, so, um, the data problem becomes, in my opinion, less about shadow IT or...
Because it's, the data is the data. Right. Right? So whether it's, you know, HR person that's got access to the whole HR something, you know, and then they go, "Hey, we've got a new vendor that we're evaluating. Here's some data." Now, that vendor has put it in their [00:22:00] third-party application that's not necessarily been vetted.
Um, so is that, that's not shadow IT. That's just, that's just bad practices. That's just bad governance, right? Yeah. So now, is... And I don't mean to pick on HR in any, any way, but you know, shadow IT, again, is just do you have the right governance and, and procedures in place? And that goes back to do, does security have the right capabilities to detect what is important to the business, right?
So to me, it's less about... It, it's more like bad data practices than it is, you know, shadow IT Because anybody, anybody can be this data [00:23:00] exfiltration, accidental or otherwise, um, because they doing the right thing, it's just, it's just bad practice. In all that, Brian, you said something I think really important, really important term, uh, and th- that term was governance. And, um, you know, I feel like governance doesn't get a lot of attention in security. I think it's gotten better, but let's be honest, like governance, GRC, it's not sexy half the time, right?
It's, it's not red teaming, and not even blue teaming, right? You're, you're not really technically doing a lot of technical stuff. It's making sure you're doing the right thing. So, uh, and I, and I know you- you've done, you know, audit, compliance risk in, in your own background. So let's talk about that a little bit, governance.
If folks don't have the proper things in place, what's the basics? What's the basic things they need to get in place for data security? Yeah, governance is, is one of those things that ha- [00:24:00] just like compliance or audit, it happens behind the scenes. People don't really know what it is or what it's doing, um, until it doesn't work, until something is like, "Well, why did that happen?"
And then somebody points and say, "Well, you didn't have governance or something." I don't know. But the, the situation related to, like, well, this data or governance is, yeah, you may have some red team stuff that happens that sounds all sexy and fun. Um, I actually think that being part of the governance and risk component is more, has more capabilities to help drive business instead of, yeah, the red team stuff says, "Hey, I, I, you told me what data to go find, and I found it over here."
Well, great. Now, let's- we're gonna go back. We get to go [00:25:00] back to the business and have a conversation about the risk associated with what d- well, data being wherever it's at, and two, how did it get there, and how do we then work together to make sure that we reduce that risk? Um, right? So then the question becomes, all right, do we have the right governance in place?
That could mean anything from some sort of policy or procedure that might even include education for that business unit. But at the same time, do we have all the right controls, the right configurations to help the business not step on their own toes? Because we see that happen all the time. I mean, you've probably seen it, that somebody goes, "Well, I was just doing X."
Well, and X, you're do- they were trying to do the right thing. It just- [00:26:00] Created a bad outcome of some way, shape, or form. But they were trying to do, they weren't doing anything bad or nefarious to begin with. Yeah. Yes. I, and I, and I'm laughing 'cause I'm not actually picturing, as you said that, I'm not actually picturing business or my job at all.
I, I picture, so I, I've got a five-year-old, right? And, and I'm actually picturing my five-year-old do something, and it's very applicable to business, right? The business will act like a five-year-old quite a bit with technology. And it's like something happens, or actually he did something the other day, dumped a bunch of water on himself.
And I'm like, "Dude, what were you doing?" And he tells me what he was doing, and it's like, "Man, okay, like, I understand what you were trying to do, but the whole way you went about it, of course you wound up with that bowl of water on your head because you did it wrong." Um, same thing, right? Same thing with business.
'Cause you're right, they don't mean to be bad. No. Most users don't wake up in the morning and say, "Hey, how can I tip this bowl of water [00:27:00] on my head and get all wet and then complain about it?" Um, no. Like, they're, they're doing their job. Yeah. Yeah, yeah. No, I agree. I mean, they, and, and I think that's what we see 99.9% of the time on these things is, "Hey, yeah, I copied that file that held all that information because, you know, person, person over in department X said they, they needed it for their project.
So I put it out in a common directory where we could both- Mm-hmm ... get to it." Well, you're trying to solve a, you're trying to solve a business problem between, maybe between finance and sales or whoever, but you just put that, all of that information on a directory that you both had access to. Oh, by the way, that's the same directory every person in the company has access to, you know?
Right. You know, instances like that, we've seen those happen over and over again. All the time. [00:28:00] All the time. And that's even becoming a bigger issue now with, you know, the copilots that are out there and stuff like that. Because, um, you know, public d- and I'm not saying your, your example's a public directory, but let's assume it is, right?
They put it in a public directory to share things 'cause that's the easy button. And maybe they delete it after. That would be best case, right? Plop there, next person grabs it, and they delete it. Awesome. Um, but more than likely forgot it, right? Hey, I grabbed it. Thank you. It's still sitting there. And, and guess what?
Anybody with a keyboard using their copilot can search and perhaps find that, and hopefully it's not very material. But it could be, you know, the, uh, you know, brand spanking hot off the press, hey, we're doing this M&A activity. It could be a RIF list. It could be your, your CEO's compensation. Who knows, right?
It could be relatively sensitive. Right. Yeah. And, and those examples expound even [00:29:00] beyond, you know, the idea of, you know, some common directory. Um, we've got teams, you know, and, and shares that are on teams that who is now respo- depending on your organization, who's responsible for that team channel- Mm-hmm
and/or the directory that's associated with that channel where you put data. Well, is that a sensitive channel? Who's, who can add people to that channel? You know, that's governance. That's part of governance. And, you know, are you delegating that out to the business owner of that channel to now manage who has access and to which directories and what data?
Mm-hmm. So it, it gets a little bit more... It sprawls a little bit [00:30:00] beyond your traditional, because I guess, you know, and I guess some organizations, maybe their, their identity management solution might be able to manage all the way down to those levels. But, um, I- Maybe. The, the two that I've been, that were, where teams was super important, it was delegated to the- Yeah
to the channel owner. Yeah. Which actually, so naturally it g- it goes to one of the last questions that you posed at the beginning, which is who is supposed to have access, right? Right. And, um, you know, that, that can go many ways. Again, to your analogy of the rabbit holes, many different rabbit holes there.
Um, but what's interesting is what you just brought up, where you have, um, delegated responsibility maybe to tho- those repo owners, be it teams, a, a file share, whatever. Sure. It doesn't matter. The repo doesn't matter. Um, you know, [00:31:00] first do they know, right, how, how to handle that versus, "Oh, uh, Brian came to me, I need to give him access.
Of course, click, approve," or Adam or whatever. Right. Um, a- and do they have the... So do they know, and do they have the proper training, right? Uh, I, I feel like most organizations have security awareness training, but what we're talking about here with regard to, like, data access training, I don't know. I don't- This is specialty training versus your- Yeah
'cause security awareness is, is generally considered general training, not some sort of specific, right? Yeah. Yeah, yeah. So to train someone to say, "Hey, congratulations, you're now a, a Teams channel owner. Uh, your Teams channel is authorized for confidential data. This is what it means." Um- I can't say, and I have not worked everywhere, I can't say that I've ever seen an [00:32:00] organization do that piece just yet.
You know, have specific training for those types of people. No. I, I, mm, I have seen it happen once, um, one time, but it was on the rollout. Ah. So, so if you were inside the organization and a Teams channel owner to be trained at that moment, that's great. But three months later, you left and they promoted somebody else in, they don't get the training.
Yeah. It wasn't... They didn't think to record it. They didn't ag- think to say, and now it's, you know, when somebody hits a certain level or, or gets this new entitlement, that it would now trigger a training requirement. Nope, it was one time. I, I think that's pretty common. You know, right now we're talking about, like, data access, but actually...
So yeah, I, I [00:33:00] too, now that I think about it, you know, brand-new initiative, brand-new environment, yes, I've seen that, right? That was kind of the onboarding. Yeah. Congratulations. Yeah. Here's the, here's the new shiny object we're managing. Um, I've seen the same problem on, like, data classification initiatives, right?
Sure. You roll out a new data classification initiative, you train the whole enterprise, right? 'Cause you need to. Um, but the level of training you just did, either there'll be none for future employees, to your point, or it'll be a severely, like, redacted and smaller version because, oh, it's commonplace, it's culture.
We don't need to do all that again. Yeah. Is it though? Yeah. Yeah. Well, you know, and I think, and that, that goes back to, you know, how do you identify the data? Um, c- can you put... And I, and I think this is, this is one of the places that I worked, we, we, yes, the rollout to begin with for identification of data [00:34:00] to be, um, have a certain, whether it was a classification flag, whether it had to have some sort of footer, you know- Mm-hmm
flag, you know, keywords or, or something. Yeah, that went out initial rollout. But the roll-on plan, the maturity plan, was to then be able to use a lot of that understanding to now create automated triggers for when data was created or manipulated, right? So open up- Yeah ... a old document, it matches whatever, and it automatically puts some sort of, you know, watermark or footer mark or, or something, um, that then- Would transition out of the hands of the user Hopefully.
Right, [00:35:00] hopefully. And I've had that, I've had that exact same conversation a few times lately, where it's like, "Hey, Ward, we've, we've conquered data classification, but it's January 2026 and newer." It's like, oh, so you have four months of, of conquering the problem. Cool. Yeah. And then we both kind of sit there and, and shed a tear together as like, well, what about the last 20 years of data we still have sitting somewhere?
What are you gonna do? And yeah, that's, that's one way of doing it, for sure. Yeah. Yeah, I mean, there are some... And, and I, and I, and I'm, I'm hopeful that having an on-prem AI type of instance, um, that can be fed, um, specifically depending on your organization and the, the type of work you do, where you collect certain data elements, um, it would be great.
You know, like, all right, all of our data elements are collected on a [00:36:00] form. Mm-hmm. You know, maybe an HR form or, you know, maybe it's a registration PHI form. You know, something that could then be fed to the AI that says, "This form is what we're looking for. I don't care." And it only needs to be i- identified when the form is filled in.
If it's a blank form, we don't care where it sits. It's only when it's filled in. So, um, that's the, that's the, the hope, I would say. And I'm sure there's a vendor out there that goes, "I do that." Yeah, you do it for one use case, but you don't do it for the other five use cases, right? Yeah. And, um, being able to feed it that says, "This is the data."
Um, some of them have done that in the past, but they have, like, database limitations, like of a million rows. Like- Right ... well, I can, how can I... I can't, I can't read in all my data, so how do I then read in [00:37:00] what's the more important data versus least important data? And, um, so I think there's a lot of use cases that maybe AI can help with because you can maybe feed it all of it and then say, "Go find it."
Um, but that's the, that's the, that's the next level I'm waiting to see. It's, it's definitely getting interested. Um, so speaking of next levels and just levels in, in general, uh, Brian, you- you've been in the industry for, I'm not gonna age you, we'll, we'll say over 20 years, right? Sim- similar to myself. Um, and you know, you're, you're now a, a global information security director.
Um- What was your journey? How did you get here? Oh, man. Um, so that, I- I- I feel like it's a funny story. Um, but so I, I started, I started doing some programming, um, realized that was probably not [00:38:00] my forte. Um, but it was a good experience, but it was not my forte. Um, started doing, uh, server administration with NetWare- Mm-hmm
um, and then doing some network archit- or network engineering kind of stuff. And I walked into my boss's office one day, and he had this new box just sitting on his desk, and I go, "What's that?" You know? It was like, thought he was gonna tell me, you know, it's a new what- ... And he's like, "It's a firewall." And I, and I, and I said, "What's a firewall?"
That was ... And he goes, "You wanna mess with this?" And I'm like, "Yeah. You know, let me figure that out." So, so my journey into security started with a question. It was an in- inquisitive question, and but it was, like, I, I didn't even know what a firewall was. And so I became security person number one at that company doing [00:39:00] firewall administration.
Uh, then, you know, then the other things came into purview with, you know, URL filtering and, um, uh, some access control stuff and eventually DLP. Um, and then, you know, forensics. Then I got into risk. And so yeah, so that was probably, um, a five-year journey of, of doing from what is a firewall to being able to say- Wow
you know, I've, I've touched just about everything. All from a- so I feel like you, you just took me full circle here, man. It all went from asking a question. That's where we started, right? Yeah. Asking a question, understanding. It's all... So, you know, those five years, continue. What else? Well, I mean, from there, it just became...
So and I had a [00:40:00] mentor of mine, and so, I mean, for the listeners, if, if you don't have somebody that is somebody you would go to and go, "Hey, I'm thinking about this, you know, do you see me doing that?" And, and, or, "What am I missing as part of my toolbox to be able to do what I'm, the next thing I think I wanna do?"
So if, if you don't have one, you need to find one. Um, and it's a lot easier than you think. It starts with a question. Will you, "Hey, would you mind helping mentor me?" And I would almost guarantee just about 99.99% of everybody that you- they'll say, "Yeah, sure. How can I help?" But so that's where my ... So part of my journey started with, with a guy, um, who came into the organization.
Again, I had been doing all this operational [00:41:00] security, um, components. He came in, and I'm like, "He knows what he's talk- He knows stuff. This guy, he's done security program management stuff, man." So I went to him one day and said, "Hey, um, I wanna sit in the seat that you're sitting in one day. And but there's
When I see you do something or say something or agree to something that maybe I'm thinking, 'Why in the world would he do that?'" I said, "I'm gonna come ask you." And I said, "So don't give me any of this, 'Well, if I tell you, I have to kill you,' kind of stuff." I said, "Just, just help me." Two days later, I get called into my boss's office.
This guy was sitting there, and he goes, "Brian, as of today, you report to him." So I went from the networking team doing operations over to now what was becoming the new security team for this guy, and he said, "Brian, do you wanna [00:42:00] run keyboards all your life and configure firewalls the rest of your career?"
And I'm like, "Prob- no. What else is there?" Question, what else is there? Mm-hmm. And he's like, "Let me tell you." So he actually changed my trajectory to becoming a somebody who understood security from A to Z. Now, am I ... It ... Are all of my A to Z ... Am I an expert at everything? No, by no means, but I've been there.
I've touched everything. I'm familiar with it. And he goes, "And you need to learn how the business works because if you can translate something that's technical, whether it's IT related or security related, to the business in terms of ... They're going, 'Why are we doing this?' Well, let me explain it. Then they're like, 'Oh, I had no idea because the me- the email we got didn't say [00:43:00] any of that, Brian.'"
Mm. And so really trying to be that commit- So anyway, I, I went from doing the operation components, to being mentored, to striking out, creating some risk management programs, helping build ... couple organizations build something from scratch, and then, and then landing, you know, to, to the point where I realized it's not about me just making the next move for me, but how do I take- And help the people that reports to me make the next move.
And so, um, and, and that, and I can think of one instance d- where two, the, these two young ladies were in a hallway talking to me and one said, "Hey, I've always wanted to move to Australia. You know, me and my fiance, we're thinking when we get married we might move to Australia." I'm like, [00:44:00] "Well, where in Australia?"
And so she told me, she goes... And I used to work for a company that was h- headquartered in that city. Um, and I said, "If you do that, you need to come back to me because I know some people that I can probably help connect you with directly." Um, and the, the other person standing there next to me, her jaw dropped, and she goes, "You realize B- Brian's not trying to tell you don't leave.
He's like, 'Yes, if you wanna go, how can I help you go?'" She goes, "That's how somebody who's looking out for you is willing to help you at the detriment of losing a really good employee." Um, and, and the other, the other person, who was a lot, lot younger, just came out of college, and was like, "Oh." I don't think it, I don't think it stuck, you know, in, in, in the, um, it...
I don't think it hit the right mark with her, but it, it made an impression on both [00:45:00] of them. That's awesome. So- That's awesome. Well, I mean, great, great story for sure on, on, on yours. And, uh, I, I like going back to the theme, asking a question. I think that's, uh, that's fantastic. So Brian, if, if folks wanna connect with you or, or who knows, maybe even ask you the question if, if you'll help mentor them, um, what's the best way to connect with you?
Well, so, um, message me on LinkedIn. That's a great way to, one, um, maintain a, a business connection of, um, so I can celebrate if you make a move or you make a, a post. I can, I can help celebrate that. Um, and then we can then connect and share, um, email and phone numbers and, and really, uh, really talk, right?
So, um, doing this is, is a lot of fun. [00:46:00] Um, but helping... A- and that, I think that's one of the things that I, I really enjoy doing, is helping others think about their problems. Because we all have the same problems, right? It's just me being that maybe I did it three times and still failed, and you're on your first time and I'm like, "Well, don't do this, this, and this."
Right. So I'm willing to help wherever I can. Awesome. Awesome. Well, Brian, thank you so much for joining. This has been a great episode, sir. Appreciate it. Thank you very much. Thanks for having me. This is a, um, again, uh, trying to work through a problem and, and kind of just pull things apart is, is where it's at, and then working with others to help e- each other on your journey.
Um, but I will, I will say this: If you don't ask questions, you never know, you're never gonna know the answer. Great [00:47:00] advice. Thank you. And big thank you to the audience. Really hope you enjoyed the episode and learned something today. Please tell others in your network to follow and listen. This has been another exciting episode of Guardians of the Data.
See you next time.
Speaker 2: That's a wrap on another episode of Guardians of the Data. Thanks for tuning in for show notes and more Visit Guardians. The data do show Guardians of the data is made possible by support from Centro to see how we help organizations discover and classify all of their data accurately and automatically while quickly achieving scale data protection without the fuss, please visit sentra.io.
Catch you next time.
Creators and Guests
