GOTD - Zach Lewis
===

[00:00:00] Welcome to Guardians of the Data. I'm your host, Ward Balzerzak. Each episode will explore the passions, expertise, and real-world experiences of security leaders who are helping the future of data security and governance. Guardians of the Data is made possible by support from Sentro. To learn more about our AI-powered data security platform, please visit sentro.io.

Let's dive in.

Ward: Welcome back to another episode of Guardians of the Data. My guest today has 15 years of experience in the industry. He's a cybersecurity leader, speaker, and author. Currently the CIO and CISO in the healthcare and higher ed industry, Zach Lewis, welcome to the show

Zach Lewis: Hey, everybody. Thanks for having me, Ward. I appreciate it

Ward: Glad we got this going, man. So in your professional opinion, what's the biggest challenge organizations are facing when it comes to data security?

Zach Lewis: Uh, I would say probably just not knowing where all their data is, what's in it, who's touching it, where it's going. I mean, [00:01:00] you pick, pick your flavor of, of data problem of the week, but, um, all of those sort of coalesce together into a, just a major data governance issue. And, and that's only, uh, made, made larger, made a bigger issue with, with the advent of AI.

And I, I mean, this is nothing no one in the audience probably hasn't heard before, but, but it still remains true

Ward: Yeah. I mean, it's, it's been the key. It's been definitely what, what I've been kind of beating the drum to the last, you know, two decades at this point in my career. I- I'm curious, you know, A- AI is the new hype. It's not really a new risk vector, in my opinion, from a data security perspective. But, um, what, what are your s- what are you seeing or what are you doing to solve for these problems?

Zach Lewis: Yeah. So our, our data journey actually started, um, right, right before ChatGPT first came out, like the first iteration of it, um, like three point O. We were coming off the, uh, ransomware, uh, [00:02:00] event and, and trying to navigate through that. And, and we were in a situation where at that time, to my earlier statement, we didn't quite know where all of our data was, what was in it, how sensitive it was.

So we, we wanted to have, have arms around that, so in the future that wouldn't happen again. So we started a big data governance journey around sort of classifying our data. We had a data classification policy. It listed the four classifications we used and, and gave examples of those. Um, we, we, we took that and we, we started shopping around like, how are we gonna do this?

Is, is maybe Microsoft's realm, the, the real- the way to go. We, we have a, a pretty big Microsoft footprint. Started trying that, and it was hard. I, I mean, data governance is, is hard, and it's maybe even made harder by Microsoft. It was difficult. So, uh, we started shopping around, talking to people at, at conferences and events, some of my peers, and we found, oh, this is the first time we ever heard of DSPM, um, when we started exploring the DSPM space.

And I would say it's probably around the time DSPM sort of blew up maybe three, four years [00:03:00] ago, um, started coming on the scene. We ended up, uh, demoing several products, picking one of them. But, um, using that product to, to sort of tag all of our data, classify all of our data based on that policy, used, um, you know, AI built into the system to do that, um, very quickly, um, at scale.

And then from there, you know, understanding the, the categories of data, the classifications of that data, we were able to put rules around it. So who could access it, when could they access it, from what kind of device, um, times of the day, different roles, responsibilities, things like that. Um, and, and we built that out over a two, three-year period.

So about the time like Copilot came on the scene and everyone wanted to start to use Copilot, we were in a really good place where our data was, was, was classified and tagged and, uh, we felt pretty good about, uh, being able to enable our, uh, our, our users to use Copilot, run AI and, and probably not get too overly sensitive data that they shouldn't have access to

Ward: Man, that's, uh, that's quite the journey that you gave us real quick there. [00:04:00] Um, I wanna, I wanna go back 'cause you said something a- and I know it kind of, uh, you know, definitely relates to your book, right?

Zach Lewis: Yeah

Ward: uh, you mentioned a ransomware event happens and, you know, um, a menta- so I've, I've been in a few cyber, uh, events myself, and I've always been of the mentality of like, don't let a good crisis go to waste,

Zach Lewis: Why is that?

Ward: It's, it's one of those things that you, you finally discover, hey, I've got some dollars now to go do something, whether it be hire or change or spend time. So, uh, I got a few other questions for you ba-based on your story, but wi-with that, how did you find or maybe it was easy say, you know, once, once you recovered, um, "Hey, folks," like, our hit list of priorities.

Here's what we need to do." How did you find success actually pushing forward with data security out of that?

Zach Lewis: Yeah. So again, yeah, don't let a good crisis go to waste. Um, we, [00:05:00] we had viewed, um... We, we picked up two major tools after our, after our incident. One of them we had viewed before the incident, liked it. Um, it was, it was an enterprise browser for those that care. Um, we just didn't have budget for it at the time.

Um, and then, yeah, right. And then the DSPM was, uh, sort of that, that net new that we hadn't explored yet. So coming out of the event, um, went back and it was like, "Hey, we think this, this enterprise browser would help with our environment. We're very, we're a very SaaS-first shop. We're very cloud first." So pretty much everything, all the, the software that the majority of our users access is all through the web browser.

So we were like, "Let's get a browser. Let's put security there. Um, that'll help." Um, so we, we, we got budget for that. And then, um, just talking with the board, talking with leadership about that data, I, I mean, that was a big sticking point for us was when we were attacked, the threat actor said they, you know, they had 75 gigs of our data, and then that increased to like 175 gigs, and then it was 380 gigs.[00:06:00]

And we were sweating bullets like, that's a lot of data. What could potentially be in that? And trying to, to base that off of like a file listing that we got from the threat actors, like just based on the names of the file, is, is that, is that sensitive? Could that be sensitive? And not knowing and that uncertainty.

So we ended up, you know, only having about two and a half gigs of data actually stolen, which is part of the reason we had trouble detecting it. And, and then going through that, we actually manually went through that data when it was finally posted to see what was in it. And unfortunately, it was, it was a null sort of, um, a-attack and, and we got out of it pretty unscathed.

But, um, we didn't wanna be in that situation again. So I, I was able to easily pitch to, you know, general counsel, to the leadership, to the CFO, different folks, and they understood like, yeah, we, we need to know what's in our data and where it is. We don't, we don't want it to be stolen. We don't want to have to pay fines.

We don't want, you know, this, that, or the other. Like, let's protect our customer stuff. So once we actually found a product that worked, um, uh, in our environment and that really [00:07:00] kind of squared that, that circle, they were all on board on grabbing, moving forward with it, and that's what we did.

Ward: Very interesting, right? Very interesting. And, and obviously, right, you were successful. You got some tools and you've recovered and all that kind of good stuff. You, you mentioned manually, manual review of, of the data, which I think any listener is likely shuddering about that, right? Like, oh man, that's painful, 'cause some of us have probably done it before. I'm curious, 'cause I've, I've had, again, I've had this conversation in the past with executives and other leaders, and in some there's the mentality of, well, if it happens, it happens. It's not gonna be a major time suck, right? Just like almost the it'll never happen to me mentality, which I think these days is, it's going to happen to you.

Like still it's not the, not the, uh, if, it's, it's the when essentially. So if you had to guess, like how long did that take for you guys to do that review until you were comfortable understanding what that data was?

Zach Lewis: two and a [00:08:00] half gigs didn't take that long. We, we spent a couple days on it, me and a couple other people just, just pouring through that. Um, really starting at the top. Anything that looked like it might be something sensitive, you know, from opening a file or filing, we just moved it to another folder.

Like, hey, this is the check folder. Trying to get through the majority of the stuff. And then after we did that first cursory, you know, look through everything, then we jump back to that, that folder with suspected sensitive stuff and then really dive into that. Um, and that's how we parsed through it. What was, uh...

I think what would've been different is if that had been a, a much bigger, you know, dump. Uh, when, when the threat actor was claiming they had 380 gigs, I mean, it was even suggested around the table, like, "How are we gonna go through that?" And a couple, couple people on the leadership team was like, "Well, it'd have to be manual review."

And I'm like, "I-- That would be more than my lifetime, probably. That could be, you know, millions and millions of files. I don't, I don't... I'm not gonna be able to do that." So then it was like, "Well, do we ship it out to a, a company and they, like, parse through it?" And it's like, all right, yeah, I guess they, [00:09:00] they probably could.

How much is that gonna cost? Is that covered by insurance? Is that something we're gonna pay out of pocket? So a lot of conversations spun up from that. Uh, and, and I don't think a lot of the, the team, the leadership team specifically outside of IT, understood how many files, how much data is, is 380 gigs.

Like, no concept of how, how large a, a DOC file or a PDF was, um, on that scale. So when you really lay it out like, "Guys, you're, we're ta- we're talking millions of files. Like, do you understand how long it would take to open millions of files and check it for sensitive data? Like, crazy."

Ward: it seems small, right? When you, when you say it out loud, it, it does seem small. Um, well, let's be real, like 380 gigs, okay. Like, most organizations these days are measuring, like, total data real estate you know, hundreds of terabytes to petabytes. But, like, again, just throwing numbers out, like it seems small, but you're absolutely correct.

Millions of files, and even the couple gigs that you had was probably still [00:10:00] thousands of,

Zach Lewis: We've got thousands, yeah.

Ward: Of stuff. Yeah. that's that's nuts. That's nuts. going back to another statement I think was very important for the audience to hear. Again, it goes back to many conversations I have. Kind of setting the table, at least from my side here, and then going to your statement. Many data protection, uh, programs that I've either helped to form or have formed have taken a while, right? It's not, you go in, one or two weeks, bam, you're up and running, you're smoking, you've got all these tools and processes in place that are protecting the data. It is a journey, and it is, I don't know it's longer than a marathon, but it's longer than a marathon, right?

It takes some time. Going back to you said, you said two to three years, two to three-year period is, is kinda where a lot of that came, came through. So I'd love to hear, at least at a high level, like [00:11:00] what happened over those two to three years? What was, what was your journey? What was your stepping stones that got you through that phase into wherever you are today, essentially?

Zach Lewis: and much like a zero trust journey, a data governance journey never ends. It's, it's a forever journey. Um, I, I think a lot of the heavy lifting though, we got done, and now it's, it's setting processes in place. And we'll, we'll talk some about that. But, um, so we, we started at a high level. Again, we wanted to classify that data, so we took our, our classification labels, um, and we made sure that that went out to all of our data.

And there's a lot of get that on the data, but then verify that it's correct. You know, look at, look at large groups of it, subsets of it, whatever it has to be, but are we pretty sure this is accurate? All right. Once that's there, what do we do with it? Do you want restricted use data going outside to external entities?

Do you want it being downloaded on personal devices? Those are internal conversations, business discussions that you have to have with a lot of different stakeholders. So a lot of [00:12:00] meetings, a lot of talking. You can't just pull the trigger on that. There's other people involved, unfortunately. Um, and then, and we get that in place.

But then we also start looking at, you know, what, what files were shared to everyone, just open files. Um, are they sensitive? Let's, let's scrape all of those. Let's pull those back. Are there files shared with everyone in the organization? Do they need to be? Are they sensitive? Let's scrape some of those back.

We, we started at that very high level, and then it was... We were able, with our, with our tool, to sort of look at departmental data, so marketing, finance, business office. All right. Marketing, you guys have two million files, and of those files, um, 100,000 of them are, are marked confidential or restricted use.

Does that seem right to you guys? Do you think you should have that much confidential data? Let's look at some of it. Does it make sense for you all to have it? Who's it shared with? Why is it shared? And, and really have those conversations with the department head. So, I mean, that, that takes a large chunk of time.

Since then, we've moved into, uh, [00:13:00] retention. We have a retention policy. We're great at keeping data, so good at keeping data. We're terrible at deleting data. Um, and now we're really looking at those retention policies and applying that to, to the data and purging some of it. And those are hard conversations too, because people do not wanna give up that, that data, and they will fight you for it.

But if you have a really good friend in, in legal, general counsel, you know, you guys are tight, and you can be like, "This lowers the attack surface. This lowers our attack footprint, our data footprint, our legal footprint. If we're ever subpoenaed, we don't have to provide this. Like, we have this policy for a reason.

We're gonna purge that." I mean, we had files going back, you know, 20, 25 years.

Ward: Whoo!

Zach Lewis: No one had touched them. So we, we really started with what files haven't been touched in 10 years, modified, just, just modified within 10 years. All right. Maybe let's move those to an archive folder, and we'll store that for another six months.

We'll remove all permissions. Let's see if anyone yells. Uh, and, and really sort of step through that [00:14:00] Around the same time we were doing that and, and we're still doing a little bit of retention and a little bit of, of data duplicification, but we started with data, data deduplication and looking at how many duplicate files do we have?

Can we purge some of those? And we were seeing, you know, 20, 30 copies of some files from people who had put it in their OneDrive and made a shortcut or a copy of it, and, and now it's over here in the SharePoint site and this site shared with this person. And so really figuring out when was the oldest-- where's the oldest file, where's the newest file.

Maybe we keep those, purge everything in between, move them out. But again, a lot of conversations with a lot of people. Um, and, and, and we, we looked at it from a categorical perspective so we can see categories of stuff and maybe it's course syllabus. Oh man, we have, you know, 200 course syllabi that are duplicated in some way.

Well, what's funny is we, we go to purge them and we delete them, and then we actually had faculty come to us and be like, "Where are, where are these syllabi at?" And it's like, "Well, we, we deleted them." "Well, I need that." "Well, it's 14 years [00:15:00] old. Why, why do you need it?" "Well, we use it as a template for all other syllabi."

And it's like, "You don't have one from this decade, like maybe this in the 2020s somewhere that we could use? Why are we

Ward: man.

Zach Lewis: 14 years old?"

Ward: Yeah

Zach Lewis: yeah. And it was, it was pretty crazy. Um, so shifting the mindset and the how people work and operate like it's at past retention, it's duplicated. Like we're gonna move past that.

And that's been harder than any other, you know, data piece of this whole journey is, is just trying to clean that up and, and keep moving it. 'Cause sometimes you're only deleting 20,000 files and some days it's 2,000 files, but maybe one-- sometimes you get in there and get that 200,000, you know. It's kinda nice and, and you can lower that footprint a little bit.

It's more manageable.

Ward: W- a- as you're reducing, are you also seeing any cost savings, you know, not having to store all that data? Is that part of, you know, any, any KPIs that guys are tracking?

Zach Lewis: Not majorly [00:16:00] because we're, we continue to create data too. So we're trying to maintain where we are. Our, our costs are tied in... You know, we have Microsoft licensing, so some could be tied there, but also our, our DSPM is, is based on quantity of data. So a- as we renew, uh, in the future, that could, that could be different.

Um, a lot of it is just based on, um, efficiencies and, and being able to find stuff and get to stuff and not have confusion. So there's some, some time saving and, and probably some money saving tied into there. But we're not hard looking at the, the cost savings. Now, I will definitely use that if I have to get the department to, to get some data moved.

Um, but for the internally, for the IT team, not our primary metric

Ward: Got it. Yeah, I mean, that's, that's been a conversation that I've had a few times with, uh, with folks where it's like, to what you said, and I've been there too. It's like, "Hey, we've got, you know, da- data retention policies, but oh my God, we're all data hoarders. Like, we're not actually following them." Uh, my last organization, they had over 30 [00:17:00] years worth of data

Zach Lewis: Oh yeah

Ward: the place. It's like, that appropriate? Is there a regulatory requirement that's saying that? Probably not, right? Like, and, and you deal with all that. Um, and I've, I've tried to... You know, y- you have those conversations, you try to get people to align, they don't listen.

So then you try to appeal to the purse strings and say, "Hey, by the way, do you know it's gonna cost X, Y, or Z to keep it in, you know, this location?" I mean, you, you said it as well, you know, move it to maybe like a cold storage or something, see if somebody squawks. Like, even that could be a cost savings here or there, or at least a, a hygiene piece to get that out of the, uh, the active storage area at that point.

Zach Lewis: Yeah. Money, money's always a good motivator. I, I also find, uh, legal to be a very good motivator too. You don't want general counsel or legal or whoever sniffing around your environment. When they say to move something, people typically jump. So I, I like to partner with legal on those when I can

Ward: Yeah, I think that's incredibly important. In fact, when, when I [00:18:00] talk about champions, right, the idea of like data security champions in an organization, I always tell folks like, in my opinion, there's three big ones, and I either say legal or privacy first. And I always make the joke like nobody actually likes lawyers half the time, but you can use that.

Like if you make friends with them, other folks certainly don't like lawyers either. And to the point you just made, you can s- you point them at them and say, "Hey, like go have a conversation and tell them why they're wrong." Um, I want to go back 'cause we, we, we glossed over it maybe, but in, in your journey, your two to three years, you, you really started with like actually classifying data.

So I am curious, you know, prior to your initiative, did you already have kind of a, a well-thought-out and socialized like data classification process and schema, or did you have to kind of build that or at least revamp it when you started?

Zach Lewis: Yeah. So we had a data classification policy prior to, [00:19:00] uh, the incident, um, prior to this journey. We'd had it for, I don't know, maybe four years, five years, something like that. We had, uh, we had data owners identify, data custodians identify definitions for that. Different departments had been told or, or had selected their, their owners and custodians, been given some training.

We, we had some stuff offered. W- was it super enforced and those people were doing a great job? That's subjective. Um, but it, it was at least there, and I, I think a lot of people are probably in a similar boat if, if they don't have that though. But like, like enforcing it is really hard to get people to just willingly manage their data, own their data, delete it when they need to delete in, in other departments outside of IT.

It just, just doesn't happen really. Um, but, but that was there. The policies were there. Um, training had occurred. Um, so we just had to remind folks and, and then reinforce it after, uh, [00:20:00] we started our journey

Ward: I, I, I wa- I wanted to ask, I think it's important for the listeners to hear, right? So we... A- and, and there's definitely a few leaders that, that are probably listening that are embarking on this journey or, or partway there. A- and again, it's not an overnight sprint. None of this is. In, in fact, what I just heard from you is your journey was two to three years of, of doing a lot of, of work with tools and process or whatever, but you had already invested some time prior to that to start doing the education and the custodians, the stewardship and all of that.

So mean, you're probably, what, five-plus years easily into

Zach Lewis: Absolutely.

Ward: Endeavor?

Zach Lewis: Yeah, 100%.

Ward: how, how do you think you guys are doing today? Like what, what's the next big challenge or, or big thing that, that you're trying to solve for?

Zach Lewis: you know, I, I think today we're, I mean, obviously we're a lot better off than we used to be. Um, but as I said earlier, the journey is never going to end. But I think we're at a place now... I'll [00:21:00] step back and say, historically people have always said there's not always a tech fix for a people problem.

Um, it's a very people process, but I, I think we're, we're entering a realm now, um, and, and AI helps with, with some of this and, and whether that's around data or like phishing emails or, or different stuff. I, I think we're at a place now where the tools actually can help with a lot of that. Um, getting users to label their data as they create it is a, is a slog, man.

Like, "Hey, you have to label everything that you create," or, "You have to label these emails. You have to do this. You gotta follow our sensitivity, uh, policy." Like, not happening. But, but with a, with a DSPM tool or even some new- newer DLP tools and, and different stuff that are out there, like you can do that automatically.

As they're creating it, these tools are, are, are almost reading them in real time, or as soon as they're created and put out in your, your OneDrive SharePoint space, they're reading them and they're applying labels to it. And those labels are linked to all sorts of rules and controls [00:22:00] that you can just layer right on the top of it, and it all happens sort of in this automatic, uh, organic fashion, which is super great.

Um, so we continue on that and, and, and lean heavily on it. I, I don't have a large team that are-- that's reviewing a lot of these. We're relying on the, the accuracy that we check when we set things up and where the AI's at. Now, if someone wants to report that something's a little too high or a little too low, they can, they can put in a request, um, try to change that, that classification and it'll get reviewed, but we, we hardly ever get those.

I don't think people really look. They just kinda go with whatever the, the, the policy is at the, the classification is at the time, and that's fine. Uh, uh, it's better than we were. It's better than nothing. I, I think overall it's, it's pretty accurate. Uh, we continue on the journey of, uh, record retention and deduplication.

I don't, I don't think we're near the end of that. There's, um, a lot of big categories of, of files we just haven't tackled yet, um, just because of what all's in them. [00:23:00] Trying to really pick out what is important to keep, what's not important to keep, um, and, and understanding why the users have that a- and where it is, um, it's, it's challenging.

There are-- It's definitely challenging, and I don't have a great solution for it other than to take it in chunks and, and just keep trying to move the needle little by little.

Ward: I mean, it's kinda like eating an elephant, right? Bite, bite, bite. You're not gonna swallow the whole darn thing on, on the day one. Again, data security is a journey, one, one that never ends. Um, you know, you, you, you touched on another topic that, that I talk about a lot lately as well, uh, good old AI, right?

You can't have any conversation without AI sneaking its way in. But where I wanna go o- on that particular topic with you is you mentioned, you know, using AI for good within these tools, right? I think there's a lot of folks that are super concerned around AI when it comes to data exposure, you know, data overexposure, you know, copilots and all that kinda good stuff.

But, [00:24:00] um, in, in, in your experience, how has it been actually leaning in and using AI for good with regard to data security?

Zach Lewis: I, I'll mention the DSPM again, the, the AI they have in that, I, I 100% helped with, with our classification efforts. We had tried to do stuff with, um, like Purview prior to, uh... And I, I've told this story before, but I'll say it here for the listeners, like being a higher ed institution, like trying to train Purview, and for those that don't know, like Purview has some, some trainable classifiers.

They have some ways to learn new data. They have some built-in stuff. But if you go to it and you're like, "I need to find grade letters," 'cause we're, we're higher ed, FERPA is our, our compliance framework, our regulation, like finding grade letters, the letter A in a file. "Hey, Purview, go find the letter A." You get a lot of false positives that aren't grades.

Uh, find the letter B. It just didn't understand the context, uh, of [00:25:00] the, of the document. So having AI there to sort of look at the content, but also understand how it's being used, who's sharing it, what's going on, what are they talking about. Um, I mean, they were able to come in immediately, be like, "Hey, these are, these are student grades," and identify them with like 100% accuracy, no training involved, no tweaks, just boom, there's that.

And it's like, that's great. Let's sped that up, 'cause as a human, I'm not gonna be able to do that. I can't go through millions of files and find letter grades. Like, that's crazy. Um, another great area o-of that use is we've been look- we, we partnered pretty early, um, design partnership with a, uh, a DLP tool.

Legacy DLP has always kinda sucked. It's, it's been hard to manage as well. Um, a lot of rules and red X's and, and, and different stuff, and watching all these false positives come through. But, but now with these tools with AI like, "Hey, there. There it is. I have my hat over here. I can go put it on." Um, but yeah, I mean, seeing them use AI to like see what are [00:26:00] users doing, not, not just context, context and content, but like intent.

What are they trying to do? What's the purpose of this? Is this new? Is it not new? And the, and the AI just infers all that in real time. It can kinda clear out false positives and give you actionable insights, like great use case for, for AI. And then I, I'm gonna step out of data just a little bit. I, I mentioned phishing too, but like, why can't I have an AI looking at a, an email as they come in saying like, "Where have they come through?

How, how long has this domain been around? Have we ever emailed them before? Is it different from other conversations? What are they asking?" Like, all these just different checkpoints that it does in real time, another great use case. Like, let's wipe out phishing. Let's wipe out data loss. Let's wipe out exfiltration.

Like, great use cases for AI where they should be used. So yeah, 100% it's there.

Ward: Yeah, I, I, I love that. And I have really-- I, I've been in... So originally I was very anti-AI a few years back. I was like, "Oh, this is, this is a fad. Who the heck cares?" But as I started, you know, seeing more and more [00:27:00] use cases, I'm gonna lock it down more to the security use case than the general, you know, AI usage out there. Um, initially I started getting flavors of like, hey, this is SOAR, right? Like it's, it's what was SOAR was supposed to be, you know, orchestration, automation, response. But it's so much more, right, than, than what SOAR was. And it also doesn't take, you know, nearly the, at least in my opinion, the, nearly the, the technical expertise that a lot of those SOAR platforms did, right?

For a, for a traditional SOAR platform, you had to know, you know, some sort of coding. You had to be able to call APIs. You had to be able to do all that, you know, whereas to, to use the, the non-data security one that you did, phishing, right? Like phishing, you used to have to do all that, right? Pull the email in, do all this, do all this stuff.

Now you can have an AI, um, you know, agent look at it, do all that automatically, look at intent, look at context, look at history, right? Have, have we talked to this person before? Do we do business with them? Um, it's amazing, [00:28:00] right? It's amazing when you look at that versus what? Five to 10 years ago, you, you would probably have an analyst on staff that would get those report phishing emails. They'd have to churn through it

Zach Lewis: Yeah

Ward: hours, right? Hours of wasted time

Zach Lewis: Yeah. What, I mean, absolutely. Um, a- a- and just thinking of like data... I- if we were at the same point then with data as like we are now, like without AI, having, having someone go through and like label files, find files, just like work data all day, every day. We don't, we don't have to do that anymore. I think we're gonna see that in a lot of other areas too, from, from bone scanning to, to pen testing to, to all sorts of things.

But like that landscape changes, um, I, I know we're getting off the data like area, but like does that, does that change our, our foundational entry-level security folks and, and IT folks? Are, are they agents now? What... Where do people come in at? Where do we build that foundational like [00:29:00] internal, uh, team structure where people get promoted up through?

Like there's a lot of things we still have to figure out. I think in the short term, AI doesn't eliminate jobs. I, I think it still augments jobs and, and gives, you know, we, we keep people there. We put them on other tasks. We, we bring new people in to expand business and grow and stuff. But eventually, there will be a time where that starts to change.

I don't wanna be doom and gloom, but I do think that, that there will be a time where that starts to change as these agents and, and AIs get better and better, so

Ward: To- totally agree, right? There, there's a lot of conversations out there around, you know, human in the loop still being necessary, which I, I do agree with. Uh, you know, probably 95% of use cases I do believe human in the loop is still necessary for those things. But I, I think you're right. I think there's gonna be a future where, you know, AI agents, AI capabilities replace a, a lot of the, you know, menial tasks that, uh, that folks ha- have been doing. Which I hope, you know, and, and again, I hope for the listeners, I, I hope folks are skilling [00:30:00] up now, right? Starting to, uh, not, not only skill up with How, how can be more efficient with it, but also skill up in your own knowledge. Like, you're not gonna have to necessarily some of those level one troubleshooting tasks anymore when you can literally put, uh, you know, certain things into an agent and be like, "Hey, this is what I know.

This is what I think. What do you think?" And, and get information back. for

Zach Lewis: Yeah.

I, I think of like tier one like help desk folks and when, uh, Microsoft and NVIDIA are partnering, they're putting agents on all these computers coming out like, "Hey, Word's not working. Hey, AI agent, why is my Word not working?" And it's like seen everything you've done. It's on your computer. It runs through and it's like, "Oh, you need to update this, and you need to change this, and you had this going.

Let me just fix that for you." Boom. It's like, oh, everyone has a, a technician in their pocket now. You know? Like, it's cool. It sucks for some of those tier one techs, but it's also pretty cool.

Ward: Oh, yeah. Yeah. I mean, it makes, um, you know, be real fr- from a personal perspective, who likes actually talking to those tier one [00:31:00] techs half the time? Not me, right? I don't wanna sit there and be like, "Yes, I restarted. Yes, I did

Zach Lewis: Yeah

Ward: No, this is not a new device." Like, if I could just have a bot do it for me, heck That's right.

Long,

Zach Lewis: The bot's like, "Did you restart?" And you're like, "Yes." And you're like, "No, you didn't. I've been here the whole time. Let me restart for you." all it does

Ward: at your system uptime right now, and I can tell you haven't restarted in 154 years.

Zach Lewis: The agent fits restarts computers. That's all it's there for.

Ward: I'm curious in, in, you know, so you're in kind of a, a, a unique industry. We talked about this before I even hit record here, but you're in higher ed and healthcare. So with everything that we just talked about, data security, AI, all of that, there anything that, that you feel has been, like, a relative unique challenge for your mixed hybrid industry?

Zach Lewis: I mean, we get the, we get the best of all worlds, and the best, I mean the worst. We, we, we have, uh, I mentioned FERPA and grades, you know, [00:32:00] HIPAA and healthcare data. We have students going out on rotations to, to pharmacies and hospitals, so they're, they're bringing in tons of data there. Um, y- you know, we see, uh, we see them go there and they're like, "We can't plug in jump drives," or, "We can't run, you know, this software," or, "We have trouble connecting to the Wi-Fi."

But then, like, if you try to impose those same guideline rules here, like there's pushback. It's like, well, y- y- they got the same thing. Like, this is not new, guys. Like, this is how it works for security. Like, I, I don't like it, but it's, it's one of those things we've had to get to because that's the state of the, the world we're in.

Um, I- I- higher ed's always interesting. You have a lot of doctors, a lot of PhD people that know more about what you do than you do, and it's quite amazing. They, they are all experts in all things. Um, and, and you have to navigate that. And I, you know, I'm not trying to down it, but like, really that, that is, you, you have a lot of personalities.

And [00:33:00] like a lot of organizations though, you have a big widespread of generations. I mean, we have people we call dinosaurs who've just been here forever, man. They, they know they've been here forever. They know everything about, about the place. Um, and they still can't turn on a monitor in a classroom. Like they think the computer doesn't work.

So, and then you have the, the kids who don't even want to use computers. They wanna do everything from their, their phones and their tablets, even taking exams. And it, it's trying to find that middle ground to bring everyone together to do this all safely and securely to protect the organization. Um, yeah, it's, it's a, it's a lot.

It's fun. I enjoy it. But, uh, yeah, you get a little bit of, of everything. I mean, even PCI and finance, we, we run, we get financial aid from the government, so we have a lot of finance stuff, a lot of money stuff. We have food on site, and we take credit card payments and so like literally almost every regulation...

Research and, and some of that research could go with government and there's government standards around that, like just standards and regulations and everything all over the [00:34:00] place.

Ward: Man. So yeah, I mean, absolutely a little bit of everything. You're definitely not bored at this point

Zach Lewis: Oh, no. There's plenty to do always

Ward: Well, Zach, you, you've been in the industry for a bit now, right? 15 years. Um, and you, you are at the CIO CISO level now. So what was your journey? How did you get to where you are today?

Zach Lewis: going back, I, I never been into computers since, uh, I don't know. My, my first computer was a Gateway, uh, with the cow logo on it way back in the Intel Pentium 4. That dates me. I'm, I'm younger maybe than I look. Um, we'll see. But, uh, but we had one of those, and then, um, I, I loved playing on it. I remember trying to figure out what, what hacking meant.

I never became a hacker. I never fully dove into that. But I remember as a child being kind of fascinated with that, and then getting into high school and I would fix computers and, and build stuff and, and that was always enjoyable. And then getting to college, I knew I wanted to do something with computers, um, and got into computer management information systems.

It was a degree in the, the [00:35:00] business department, um, and, and that was a lot of fun there. I, I met a couple companies. They would come in and they would talk about internships and what they did, and there was, there was one specific one that did co-location, so they would store a lot of servers and switches and infrastructure for different companies and they, they were like a storage shop that ran all their equipment.

They provided network and cooling and stuff for them. So I worked there for a while and that was super enjoyable. Went into tech startups after that, just system administrator jobs, network administrator jobs, um, desktop administrator, all sorts of things. And then eventually wound up at a, at a college doing IT, uh, just based on some of the skills I had.

They needed someone who could do SCCM, which was a Microsoft System Center Configuration Manager back... It's still around, but you know, it's a, it's a deeper cut now. But I had a lot of, uh, experience in that, so they hired me to do that and worked my way up from an engineer to a network assist admin and then eventually managed the help desk.

Um, left [00:36:00] that to another higher ed institution and did some network administration there, network architecture. Left there and, and became a director of IT at another higher ed institution and then, uh, just sort of worked my way up to, um, AVP of IT and, and CIO. And then here at the, the university, uh, we didn't have a security program, so, uh, I built a security program and, you know, we got the people, we got the tools, and then I was like, "We need a CISO."

And they were like, "We don't have money for a CISO." And I was like, "Okay." And they're like, "Can you do it?" And I said, "I guess. I'm guessing there's no extra money involved in that since we don't have any. Okay." And, uh, yeah. And then just so I, I put that hat on and, and started doing the security stuff too, which has been super enjoyable.

Ward: Definitely came up through the IT side of things then. And I guess Tripp stumbled and inherited security at that point

Zach Lewis: Picked it up, figured it out, and we, we made it work. Um, and, you know, while doing all that, have a data breach [00:37:00] thrown in and do a, a domain company name change and COVID and supply chain issues from that and all. I mean, you know, the gambit. You get to do everything in the fire, forged in fire

Ward: Well, I mean, it, it's great from an experience perspective, right? Like getting all that, you know, relatively quick, right? 15 years, like some would argue like, "Holy cow, you've done a lot in that time." I think you'd probably argue that too, right? You've, you've lived it, you've been there. Um, really want to hear about your book though.

I, I know, um, you know, I teased out you're an author. Um, let's, let's hear about it. Tell, tell our listeners

Zach Lewis: Uh, yeah. So Locked Up is, uh, the story of the ransomware attack I mentioned earlier, and, um, I, I wrote the story, um, uh, I don't know, a year or two after the incident, mainly because I, I started giving presentations around our, our attack, very high level. Um, I had to give a keynote or two, so I just threw something together, and, and after that keynote, I got a lot of questions from people in the crowd.

Um, so much so that they, like, ended up having to [00:38:00] shoo me off, and I was still getting questions about it. I was like, "That's interesting." And then I gave it a couple more times at d- at different places, and the same sort of thing happened, lots of questions. And I... Man, there was, like, a real hunger there. I, I could almost sense people wanted to know more.

Um, and so I looked around, and there wasn't a, like anything really on individual sort of ransomware attacks. Now, there's a couple books out there about some of the big breaches like Target or Equifax, um, but nothing that really, like, goes into the weeds of what someone might experience. So I, I threw a few chapters together, um, pitched it to, to Wiley, which was the publisher.

They loved it. They said, "Nothing like this. We, we want a hold of it," um, and, and threw it together. And there's this weird, weird stigma in the industry about people who've had, like, a cyber attack, and it's like, oh, you're maybe not a good practitioner. You have poor security. You don't know what you're doing.

Like, you shouldn't be having ransomware attacks. But if we look statistically, I mean, ransomware attacks continue to increase in, in s- in scale and quantity year over year. We've gotten better at recovering from those. I, I think that speaks [00:39:00] to, to backup and, and resiliency, but we're, we're no better at stopping those.

And why is that? Is it a foundational loss? Is it we're not sharing our information? Um, and sometimes we can't because there's legal reasons. There's, um, to antitrust laws that keep people from talking about it. There's all, you know, all sorts of things that, that people don't wanna share about. I'm trying to normalize that a little bit.

So this, this book tells literally everything that happened from, you know, where our security posture was to different events going on in the world that affected some of what we did, which then in turn affected how the ransomware attack happened, how they got in, why we made certain decisions. When did we tell the users?

Why did we tell the users? Um, I even show, like, what we told them. Like, I hold nothing back. I give everything in there, um, from mistakes we made to problems we found to how we remediated, how we got better, um, all of it. It's all in there. Um, and I hope that at some, in some point it, it helps the community, it helps anyone who might be going through one of [00:40:00] these.

Um, it's, it's sort of gotten legs and taken off, and people seem to enjoy it, so I will, I'll take that for what it is.

Ward: That's amazing. And I, I, I think the, the biggest thing that, that I took away from your statement there was looking to normalize this, because I, I think, think you're correct. You know, if, if we go back 10 years, you didn't... I mean, a month you'd hear about a, a big breach, right? And, and there was definitely a stigma like, "Oh, you're bad."

Like, we don't want to do business with you," or, "Oh, you, you, you suck," right? "You suck at your job." And, and now it's daily, right? Daily there's something, you know, popping up. You know, this person got popped, that person got popped. And I, I don't want to say we need to be numb to it. That's not at all what I'm insinuating.

But it is the norm we live in. Like, these things are happening. You know, AI is being used for evil as well, not just good. So it, you know, the attacks are happening quicker, and, um, I think folks should take your [00:41:00] approach of normalizing, you know, talking about it, understanding it, because the more we talk about it, the more we connect as industry, the better we're gonna get, right?

You know, sharing those lessons learned

Zach Lewis: I mean, we, we talk about hearing about it every day, but I would argue that's only on the, the cybersecurity channels. I mean, the news, like, doesn't even report about-- the local news doesn't even report about these things anymore because what's 300 million, you know, records? What's, 500 million records?

Like, everyone's records are out. How, many credit monitoring letters have we all gotten in the last, like, year? How many are you running in concurrency right now? Like, it's, very... And that's unfortunate. Like, I'm-- I don't wanna normalize, like, be okay with it because it's happening, but, like, it is happening.

We need to talk about it. We gotta do something else. You know, 100 new tools come out every year in security, but yet attacks continue to rise, so something there is disconnected. Uh, let-let's figure that out

Ward: Right. Absolutely. Well, Zach, if folks want to... Oh, actually [00:42:00] first, if folks wanna find your book,

Zach Lewis: Sure.

Ward: Where's the best place to go and find that?

Zach Lewis: listen, Amazon's got everything, right? They, they got the book. Feel free to grab it there. Um, Barnes & Noble, you can find it at Target, Walmart, uh, Books-A-Million. You know, anywhere books are sold, you can get a copy of "Locked Up."

Ward: Awesome. And if folks want to connect with you, um, what's the best way to do that?

Zach Lewis: I'm very active on LinkedIn, so feel free to go over there and connect with me. Um, homesteadingcso.com is my website. I don't post there often, but that is also a great way to get in touch with me if, if anyone needs anything. And then I'm all over the country speaking at events and conferences. So if you're there and you've seen this and you see me, make sure you swing by and say hey

Ward: Well, actually on, on that, what, what's your, uh, what's your next couple stops just in case folks want to try to, uh, see you in person?

Zach Lewis: Yeah. So I will be-- I'll definitely be at Black Hat. Um, I will be doing a book signing there, um, and around for a few days. I'll be in, um, let's see, New York doing a book signing for the World Cup, at the World Cup in a, in a couple weeks, which [00:43:00] is pretty cool. Um, I'll be in Michigan in July, Nashville in July.

Um, all over, uh, all over the place really. Truly. Florida later

Ward: Frequent Very good. Very good. Well, Zach, thank you so much for joining us today for this episode.

Zach Lewis: Ward, thanks for having me. Uh, hello all the listeners. Thanks for being here and, and really thanks for subscribing and, and, and following Ward. It's, it's, it's great. It's a great podcast. Thank you all

Ward: Absolutely. And yes, big thank you to the audience from me as well. Really hope you enjoyed the episode and learned something today. Please tell others in your network to follow and listen. has been another exciting episode of Guardians of the Data. See you next time

That's a wrap on another episode of Guardians of the Data. Thanks for tuning in. For show notes and more, visit guardiansofthedata.show. Guardians of the Data is made possible by support from Sentro. To see how we help organizations discover and classify all of their data accurately and automatically while quickly achieving petabyte scale [00:44:00] data protection without the fuss, please visit sentro.io.

Catch you next time