Community//

“Comprehensive Cybersecurity”, With Jason Remillard and Kevin Grimes, Sr.

A comprehensive cybersecurity and data privacy program are not optional because it addresses things like computer network security to avoid malware attacks, executing application security before deployment, prioritizing end-user education to avoid erroneous security practices. Combining cybersecurity and data privacy also focuses on protecting sensitive data, and adopting operational security measures benefits data protection. For […]

The Thrive Global Community welcomes voices from many spheres. We publish pieces written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team, and though they are reviewed for adherence to our guidelines, they are submitted in their final form to our open platform. Learn more or join us as a community member!

A comprehensive cybersecurity and data privacy program are not optional because it addresses things like computer network security to avoid malware attacks, executing application security before deployment, prioritizing end-user education to avoid erroneous security practices. Combining cybersecurity and data privacy also focuses on protecting sensitive data, and adopting operational security measures benefits data protection. For example, I have worked with clients who did not have a comprehensive approach and security breaches, and chaos was often the result.


As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Kevin Grimes, Sr., Vice President at Arbour Group, which is a Pharmalex company. He is a seasoned executive with over 30 years of experience and is responsible for multiple business areas including Digital Transformation and Compliance, Regulatory and Validation, and Connected Health. During his career he has worked with many Fortune 50 Life Sciences companies to accomplish objectives such as Revenue Growth, M&A, Cost Savings, and Technology Innovation. His Healthcare and Life Sciences career has focused with him working with payers, pharma, medical products, devices, and clinical trials. He has extensive experience in Cyber Security, Data Integrity, the Healthcare Value Chain, Cloud Integration, Hybrid Public Cloud (AWS, Azure, and GCP), the Internet of Things (IoT), Project and Program Management, Digital Transformation, Artificial Intelligence, Machine Learning, Big Data, Analytics, Agile Development, Scaled Agile Framework (SAFe), and ERP (SAP and PeopleSoft) package implementation.

Moreover, he is well versed in FDA regulated environments with strong knowledge in Good Clinical Practice (GCP), Good Manufacturing Practice (GMP), and GAMP5. Kevin holds multiple domestic and international advanced degrees including an MBA from Purdue University; an International MBA from the Ecole Superieure zseeee8]De Commerce in Paris, France; a Masters in Economics from the Budapest University of Economics & Sciences; and a Masters in Strategic Management from the Tilburg Institute of Advanced Studies from the Netherlands, Holland. In addition, he has a Bachelor’s Degree in both Industrial Management and Engineering from Purdue. Finally, he holds multiple certifications including but not limited to being Certified by IBM as an Executive, Certified PMP, Certified SAFe 4.0 Agilist, Certified ICC-ACP Agile Coach, Certified Google and AWS Cloud, Certified SAP, Certified Oracle Cloud ERP/Big Data/EPM, Certified Information Systems Auditor, and a Certified Accenture PPSM Lead. He previously worked with Accenture LLP, IBM, and Anthem.


Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in a middle-class African American family in the Mid-Western United States of America. I had a very strong family support structure and faith community. Moreover, I was involved in athletics (basketball, baseball, and football) and outdoor activities. I have continued to be involved in coaching youth athletics, mentoring youth in community programs, and community organizing.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I got involved in cybersecurity in the mid-1990s while working in technology (IT and Telecom) and business for what now is Verizon Corporation. The internet was very young during those years; however, the risks and exposures were many and evolving at a greater rate than many entities could defend against. Many in industry today do not realize that by the very nature of its business, the telecommunications business was the original pioneer of what we call the “Cloud” today. This is how their telecom infrastructure was built to communicate. During this time, I had to provide leadership to teams implementing solutions and protect a multi-billion company from cybersecurity threats by working in enterprise audit and security perspective. Over that time, cybersecurity threats have become much more evolved and sophisticated.

Can you share the most interesting story that happened to you since you began this fascinating career?

I could share many interesting stories; however, one that comes to mind when I was working with a large client on implementing cybersecurity frameworks. During this instance, they struggled with understanding the cost-benefit rationale behind implementing a framework that results in prevention and, in some cases, catastrophic consequences. However, this client decided to proceed with an appropriate framework that went across their hybrid-cloud platform. They have experienced good results that have allowed them to provide comprehensive cybersecurity with solutions that meet their compliance requirements.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

The people who I am grateful to are my parents, family, faith community, and professors. These entities and institutions have enabled me to become who I am today.

Are you working on any exciting new projects now? How do you think that will help people?

Based on the nature of my current role, I’m not focused on a single new project. However, one of my recent projects involved Cybersecurity and Cloud Financial Management. Companies considering both of these two areas when looking at the cloud is key to being successful.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

My advice would be to keep a work-life balance.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

The three things that excite me most about the Cybersecurity industry are the Cloud, Data and Data Integrity, and Artificial Intelligence and Machine Learning. I mention these three because all continue to be impactful and high-growth areas for the next 10–15 years minimum. Moreover, from a regulatory perspective, whether you are considering GDPR, HIPPA, or similar, all have been able to work together comprehensively.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Yes, there are always critical threats that companies need to be preparing for. Some key examples of cyber-attacks that are of concern are malware, phishing attacks, data leakage or theft, denial of service, hacking, inside threats, and ransomware.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Yes, I have many stories working with clients where cybersecurity breaches have been identified proactively and reactively. Some of the key takeaways involve having a comprehensive approach that ensures both compliance and security. For example, one approach may involve a framework that focuses on a Core that provides desired cybersecurity outcomes ordered in a hierarchy and aligned to more detailed guidance and controls. Also, the establishment of Profiles that provide alignment of an organization’s requirements and goals, risk appetite, and resources using the anticipated outcomes of the Core. And finally, Implementation Tiers provide a qualitative measure of organizational cybersecurity risk management practices. Moreover, another key takeaway is implementing tools that provide visibility and response time to address breaches quickly.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The cybersecurity tools that I have used are dependent on the platform, organizational goals, and objectives. For example, since many organizations have a large Microsoft infrastructure and looking to move to the Azure Cloud, then the Microsoft Cyber Security tool suite is a natural choice. However, if the Google Cloud Platform (GCP) or Amazon (AWS) is their preference, their native tools are on the selection list. The functions of these cover things like Identity and Access Management (IAM), Role Based Access Control (RBAC), Cloud Access Security Broker (CASB), and many others. Since the breadth and depth of this can be significant, you may contact me at the information below, and we at Arbour Group would be more than happy to assist you in these endeavors.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

If someone doesn’t have a large team, you want to deal with this from a top-down perspective. If they understand the organization’s strategy, objectives, and goals, then the bottom or expansive layers can be built. I would also encourage obtaining sponsorship from within the organization at the C-Level within the organization because without that, it will ultimately be challenging to meet goals. Once these things are established, the organization’s scope is better ascertained, and then they can determine when to move from “OTC” software to engaging an agency or hiring a CISO.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

First, this is dependent on the organization and the type of data they are managing. Most hackers are trying to ascertain some useful data that will benefit them. In some cases, this could be PHI or financial data; however, the best approach is to establish indicators or “tripwires” that alert responsible individuals to fraudulent activities. This is looking at this from a reactive perspective. The other item I would encourage is to act in a more proactive way that includes things like Tiger Teams for networks and sending emails to test Phishing violations. Essentially, every organization needs a comprehensive program that addresses reactive and proactive indicators to ensure they can identify breaches.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

If this occurs, they should notify the impacted customers and implement consumer credit protection immediately. They should also close the breach from a technology perspective and implement measures to ensure it never happens again.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Yes, both of these measures have affected our business. We see more and more customers that desire to become compliant with these and other key regulations.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Exposing electronically protected health information (ePHI) is probably the most common data security mistake and Phishing is a very common mistake around cybersecurity. For example, in the healthcare industry, given the value and sensitivity of ePHI and personal identifiable information (PII), dire operational impacts, and enormous breaches costs. The numbers are stark:

  • 3.92 million dollars: 2019 comprehensive global cost of a data breach
  • 25,575: average of records compromised
  • 5.1 million dollars: the total cost for organizations with more than 25,000 employees
  • 2.65 million dollars: the total cost for organizations with 500–1,000 employees
  • 6%: The odds of undergoing a data breach
  • 150 dollars: the average cost for each stolen or lost record containing confidential information

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

With working remote and telecommuting becoming common now with COVID19, we have an uptick in cybersecurity incidents. This is due to the simple fact of environmental change, including things like the way people access company access over different networks, etc. This sudden and dramatic move has also brought consideration to the “dark side” of cloud-based application architectures: they deliver efficiency and ease but are weak in the extents of data protection and security. Undeniably, the next epidemic already here is a new wave of ransomware, data theft, infrastructure, and further attacks by criminal hackers, malicious state actors, and many other threats. The environment and hosts that can be subjugated by these damaging viruses of the connected digital age has just expanded intensely. The Internet of Things will further exponentially hasten this expansion into every facet of daily work and life.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

  1. A Comprehensive Cybersecurity and Data Privacy program is not optional.

A comprehensive cybersecurity and data privacy program are not optional because it addresses things like computer network security to avoid malware attacks, executing application security before deployment, prioritizing end-user education to avoid erroneous security practices. Combining cybersecurity and data privacy also focuses on protecting sensitive data, and adopting operational security measures benefits data protection. For example, I have worked with clients who did not have a comprehensive approach and security breaches, and chaos was often the result.

2. Cybersecurity Frameworks and Tools are essential

Understanding and applying the appropriate Cybersecurity Framework and Tools are critical. You may have to work with a consulting firm to assist you with this process. However, this is a catalyst in allowing you to meet regulatory standards, organizational goals, and maturity. As mentioned earlier in this interview, I have worked with many organizations with the wrong or ineffective toolsets. Many don’t understand the value of a framework, but both of these are essential in maturing your organization.

3. Leverage the cloud because it’s here

The cloud is here to stay and specifically Hybrid Cloud. Therefore it’s critical to have the right approach to Cybersecurity and Data Privacy. The bad news is that with the existing cloud-based architectures of most applications, this is almost impossible. The best that can be accomplished is a series of concessions between data access and efficiency with data privacy and security.

The issue is foundational. Current cloud-based architectures expand efficiency through methods that are fundamentally flawed from a security standpoint.

  • Decentralization of data. Data is separated, and access to data is segmented with many smaller pools that are encrypted separately. This minimizes the impacts of breaches, and particularly the insider attacks by the Edward Snowdens of the world.
  • Device-based Access. Even though the data is kept in the cloud, it can only be retrieved locally on precise devices. There are no credentials like user names or passwords to take. Hackers must get access to the device so remote attacks are not possible. Additionally, data on each device is encrypted, and entry to it can be limited to authorized users so that they are impossible to hack without that user’s explicit knowledge.
  • Keys in the Cloud. Encryption is widely applied as a data security critical first step. Inopportunely, current architectures necessitate that the keys to decrypt this data be kept and used in the cloud. While capturing keys is too easy for knowledable hackers.
  • Massive Attack Surface. Any device connected to the internet can attack a Cloud server, exploiting the exposures already listed.

While companies do take many steps to add layers of security to their platforms and applications, they cannot address their foundations’ cracks. Arbour Group can assist in treating the symptoms, but we cannot cure the disease without a fundamentally new approach.

4. Understand the importance of Architecture

Understanding the importance of Architecture when it comes to Cybersecurity and Data Privacy is paramount. For example, next-generation Peer-to-Peer (P2P) application architectures can solve many foundational problems. More specifically, new tactics to software that highlight decentralized, peer-to-peer architectures, end-to-end encryption, and distributed ledger technology can handle these challenges and influence the next generation of secure, private, and trusted collaboration on the internet.

Thanks to Blockchain and Cryptocurrencies’ use, many people are familiar with the concepts and terms of “Distributed Ledger Technology” and “Peer-to-Peer Network.” What is less understood is that the architectural principles that make these secure can be applied to bring a new security level to software applications and platforms in the connected digital age. These principles alter the equation, removing the foundational cracks in present architectures while conserving the benefits of the internet and the cloud:

  • Decentralization of data. Data is separated, and access to data is segmented with many smaller pools that are encrypted separtely. This minimizes the impacts of breaches, and particularly the insider attacks by the Edward Snowdens of the world.
  • Device-based Access. Even though the data is kept in the cloud, it can only be retrieved locally on precise devices. There are no credentials like user names or passwords to take. Hackers must get access to the device so remote attacks are not possible. Additionally, data on each device is encrypted, and entry to it can be limited to authorized users so that they are impossible to hack without that user’s explicit knowledge.
  • No Keys in the Cloud. With P2P architectures, encryption keys are never in the cloud and are formed and stored only on devices in the P2P private network. Therefore hackers cannot gain entree to any encrypted data kept in warehouses in the cloud.
  • Minimal Attack Surface. P2P architectures don’t have attack surface in the cloud. The only vector of attack is devices controlled physically and accessed by users. And there are many approaches available to lock these down in ways that are impossible with a centralized cloud application architecture.

If you want to regain security and privacy, you need to change the approach. No system is ever “hack-proof,” but new P2P architectures essentially change the model for security to address the flaws of current approaches while preserving the cloud’s benefits. This creates an opportunity to power a new generation of distributed collaboration and remote engagement without compromising security, privacy, compliance, data protection, and ease-of-use.

5. Leverage Artificial Intelligence and Machine Learning

I would encourage leveraging AI and Machine Learning with Cybersecurity and Data Privacy initiatives. The fact is that AI and ML are our new reality as cloud computing has impacted the increase in computational processing power and corresponding decreases in data storage costs. Due to data growth, traditional procedures of analysis have become increasingly incapable of supervising this data volume. As an alternative, cognitive capabilities — including data mining, machine learning, and natural language processing- replace traditional analytics and are utilized against massive data sets to help find indicators of known and unknown risks. Therefore, leveraging technologies and their corresponding security methods are critical now and in the future.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

A movement that I would inspire that would bring about the best to most people would be to treat others as you desire to be treated with respect, dignity, and goodness. A simple action may involve “paying something forward” that is as simple as buying a cup of coffee or elaborate as paying for a five-course meal. Both warm the heart and release positivity into the community. If people did these things and especially those in leadership, then others would follow voluntarily. Although you still may have those that are selfish, try to take advantage of, and harm others through many criminal and non-criminal means, they would be in the minority, and eventually, even their minds would change.

How can our readers further follow your work online?

First, I would invite you to reach out to me directly at [email protected] or contact Arbour Group for more information on our Cybersecurity and Data Privacy services. Also, you may connect with me out on LinkedIn.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!


Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

You might also like...

Community//

“You can PREVENT most Data Breaches”, with Jason Remilard and Paul Katzoff

by Jason Remillard
Community//

“Lack of a plan”, With Jason Remilard and Paul Lipman

by Jason Remillard
Community//

“Random act of kindness each day”, With Jason Remillard Jodi Daniels

by Jason Remillard

Sign up for the Thrive Global newsletter

Will be used in accordance with our privacy policy.

Thrive Global
People look for retreats for themselves, in the country, by the coast, or in the hills . . . There is nowhere that a person can find a more peaceful and trouble-free retreat than in his own mind. . . . So constantly give yourself this retreat, and renew yourself.

- MARCUS AURELIUS

We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.