“Data is a double-edged sword”, With Jason Remilard and Rich Hale of ActiveNav

First and foremost, assume you will get breached. It’s happened to us. It’s going to happen again. You need to put in place mechanisms that ensure that breaches can be handled as part of your business as usual. Now, that doesn’t mean you should just accept it. But you need to make sure that you have […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.

First and foremost, assume you will get breached. It’s happened to us. It’s going to happen again. You need to put in place mechanisms that ensure that breaches can be handled as part of your business as usual.

Now, that doesn’t mean you should just accept it. But you need to make sure that you have a stance that is ready to respond rather than just one that’s on the shelf gathering dust.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Rich Hale, Chief Technology Officer of ActiveNav where he focuses on developing their market-leading File Analysis software. Rich spent 16 years as a Royal Air Force Engineer Officer deployed around the world. His career in the Royal Air Force not only spanned over a decade, but also numerous countries including the US, Saudi Arabia, Kuwait, and Canada. He is a product and information evangelist, with experience hard-won through many years’ developing information governance programs in enterprise and government agencies. Rich holds a B.Eng. Honors Degree in Aeronautical Engineering from London University, as well as an MBA from the British Open University.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in England without a car. I have clear memories of walking to and from the store and using the public bus. We walked absolutely everywhere.

I love the outdoors and played a lot of sports growing up, particularly soccer and rugby. I joined several youth organizations as well such as the Air Force Cadets, Cub Scouts, and the like. During that time, I earned a few awards which was cool, and I always enjoyed it. In those youth organizations, I started finding myself getting leadership positions. But as result, I got distracted and started doing just “okay” in school. I look back at my kids now and recognize all the things that annoy me that I was doing when I was young — but doesn’t every parent? Eventually, I held it together through to the middle of high school.

Then, at the end of high school (or a secondary school as it’s called in the UK) I blew my major qualifications, the ones that I needed to get into university/college. As it turns out, I managed to scrape together an application to one of the really good universities in England: Queen Mary University of London. I chose to study Aerospace and Aeronautical Engineering. After completing my degree I joined the Royal Air Force.

With the Air Force, I moved around a lot. I lived in Germany, Texas, and of course the UK. I’ve also deployed to the Middle East, around Europe, and in the US. My family and I have lived in Northern Virginia since 2017.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My story was recognizing that my chosen path required me to do a lot of what I’d call hands-on practical, operational engineering. I was an engineering manager and leader, but I realized that the operational side wasn’t my strong suit.

Over time I realized that what I was interested in was “big change”. I went to Texas with the Royal Air Force, looking at a large procurement program which involved bringing an aircraft into service. I noticed that whilst I was geeking out on the technology, it was the whole process of introducing the aircraft to service that was interesting to me.

So “big change” was the thing that got me excited. I came back to England and like a fool, I picked a post in the Air Force that no one wanted, which involved introducing the largest information technology change in the Royal Air Force.

Through that process, I recognized that I was getting into understanding data. I met a small company and unwittingly wrote the roadmap for their product, which is aimed at understanding information. My context at the time was governance and ensuring that information was appropriate to the business need. That’s how I got into understanding data security, data risk, data value. I wanted to understand data at scale, but in the organizational context. Why do you hold data? What’s it for? Should you hold it? And what can you do with it? That’s what got me into cyber.

Can you share the most interesting story that happened to you since you began this fascinating career?

While I was with the Royal Air Force, we got bombed in the Middle East. That’s not typical for the role I held! While deployed in Nevada, I got involved with the first drones at the Royal Air Force. The US has led drone technology in the military, and I was lucky enough to be one of the people who was helping to scope out this project. I helped the Royal Air Force adopt the Predator drone along with engineering support for it. While I didn’t get involved with the data the drone was collecting, that was a fascinating time in my career.

If you flip across the line to my time with ActiveNav, where I’m the CTO, that’s when I started to engage in information related to cybersecurity. We were a small, smart startup company. There weren’t many of us. We were having discussions with very big, global organizations. I remember one of our lead sales guys walking through the door in our small office in England and saying, “Hey Rich, we’ve got a tiger by the tail here.” He was referring to a contract.

He had just closed one of the world’s largest defense manufacturers. I’ll never forget it. That’s what I would call the change point in our business. We moved from sort of a notion, or an idea, to what we wanted to do, which is engaging with companies to help them understand their data.

That tipping point for the company is, at least in my memory, a fascinating story.

None of us can achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Well, I have got a particular person, but I can’t resist mentioning my team, too.

When I left the Air Force, I had become very frustrated with the hierarchical nature of the military and how it put a barrier between “us” and “them.” The leader or the Officer and the people that did the work. And so, when I left the military and joined ActiveNav, I was looking to understand how I could work better with teams in a more empowered way and through that, get closer to the way I work with teams.

Through that whole process, since “grabbing the tiger by the tail,” I realize how much you need your team around you. You need the team to back and support you. And certainly, with a fast growth trajectory, I’ve become increasingly aware of how important my recognition of needing the team to help you on those journeys is critical.

To answer the question more specifically, there was one person in the process who helped me along the way. Our ex-CFO, David Dawson, helped me understand that it was okay to not know the answer.

When you leave the Air Force and change career completely, one of the things that worries you is that you don’t know everything, and of course, you can’t know everything. David helped me come to terms with that. He also helped me reinforce the concept of a “servant leader”, which is a term I like.

I still think about it a lot — about knowing that you don’t need to know the answer, but to provide the environment and the framework for your team to do what it needs to do. I’m sure the military had a hidden message that I missed perhaps, but I don’t think the military structure helped me do that.

Are you working on any exciting new projects now? How do you think that will help people?

We’re not going to get far through this interview without talking about COVID-19. I frustrate my CEO by calling it “Coronacation Communications,” a term my eldest daughter coined. It describes the fact that COVID is bigger than the virus. It’s the impact it has on everybody in ways we can’t even imagine.

Referring to my last comment about teams, the main project I’m engaged in myself is about helping balance collaboration and isolation between teams in the UK and the US. We’re being forced to accept video conferencing as the norm. And I’m frustrated by that. I think we need to transcend video conferencing as the norm. That requires us to engage in how we share and collaborate with people. That’s what binds people together — communication and collaboration.

I watch our teams get frustrated, watch my kids get frustrated, people are struggling to cope. And so, my principal project is how I engage and support my team leads to connect people in this age of video conferencing and the complete change of our working environment.

The second one that’s perhaps more related directly to the subject matter is our cloud product. We are complementing our on-premises solution with a new cloud product. It’s a really exciting project for me as it’s our chance to engage with the power of the cloud and use the scalability of the cloud to provide a single pane of glass view of our customer’s data.

I’ve also had a quest ever since I left the Air Force and that’s to provide an “easy button” for understanding unstructured data. Our new projects are engaging with the scale opportunities that the cloud provides.That project complements the work I’m doing myself around enabling teams and the impact COVID has had.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I think this one sounds simple, but it’s hard to do. And I’ve watched myself in COVID feel bad about not working hard enough. I think it connects (hopefully), some of my previous answers about trusting others and giving yourself a break. That’s the best advice I can give to anyone.

I think feeling safe to fail is also important. Not feeling like you must succeed every time. Part of that is having team relationships around you. You need to experiment when things are uncertain but trying to deal with uncertainty is perhaps one of the biggest challenges we all face. That’s why running experiments and giving yourself opportunities to be safe to fail is important.

I think about my daughters as they grow up. I ask myself every day how I can promote in them the confidence to just try something — and that they’ll be okay if things don’t go their way. Of course, there’s context to place around that, but I think that’s how I see people getting wrapped up — when they feel like they’re being burdened by this need to succeed, to be perfect every time.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

For me, it’s all about context.

What’s the “why” of cybersecurity? Who’s trying to access data and why? What information are they trying to access? It seems that we’ve been frustrated by not having the technology to answer that question. So, as a result, organizations have been doing things like locking down and protecting their perimeters.

But the reality is that the door’s going to get broken down at some point. And so, understanding what data you’re protecting and why is a critical part of the equation. I think only recently has technology begun to become available to make that possible.

Secondly, data privacy is driving the need to look after data in a more responsible way. We often talk about data stewardship and connecting business with its cybersecurity responsibilities. Companies need to understand their data and start taking broader responsibility for business information assets.

That, for me, is the changeup that cybersecurity needs to engage in. Introduce the skills and capabilities needed to help organizations enact better stewardship, but also in the longer term, to begin to leverage data for value.

There are two sides to every coin. Data risk and data value are opposite sides of the same coin. I think the skills that you need to introduce the technologies to take a grip of your data will open opportunities to better leverage that data too.

And then lastly, to support all of that, we need the continuous flow of transformational technology and the commoditization of capabilities that only a few years ago felt like pipe dreams. This opportunity to innovate and be really dynamic about the way you attack these types of problems — to explore the art of the possible and to think all those things through is what I’m most excited about right now.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

I’m going to repeat myself here. I’d love to think further out, but I’m going to focus on the very near future and the impact of the new way we’re working on cybersecurity.

We must keep an eye on what the impact remote work is doing to our people. I’m reflecting on myself, my staff, my teams, as I’m sat at home. As more people blur the boundaries between work and home life, I think it’s very easy to slip up on cybersecurity as you flip your two modes: work and home.

Have you changed your mindset sufficiently to engage in the move from a social family setting to actually being very diligent and getting your work hat back on and ensuring that you’re being appropriate and responsible with the data you’re dealing with?

It’s a very practical thing for me. I have a home computer that I use for my personal stuff and I have a work computer. Sometimes I log onto my home computer and kind of forget that I’m actually on my home computer and then I might try and do some work. This opens up opportunities to mess with the boundaries. Organizations must pay a lot more attention to how they help people compartmentalize their life and their thinking.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I’d love to say I’ve stopped one. I’m sure we’ve stopped a few. We’ve engaged a lot on how we improve our cybersecurity stance in our business. However, you may never know the ones you stopped. So, I’ll talk about the biggest one that we’re engaged with as a business where we’re involved with a global company that was responding to a breach.

They were under significant pressure. They’d been breached and they hadn’t put in place an understanding of where their data was. They couldn’t answer basic questions about what might have been breached, but also where else they may be at risk because of the breach.

It was a very short time scale. They needed to respond quickly, and they had to grow a whole new capability overnight. And so, what they needed to do was understand where their data was. They needed to understand that at scale, globally, and they needed to do it yesterday.

We went on a journey with them to begin to identify and deploy capabilities that would enable them to understand their data. And I think the takeaway for me is organizations are hamstrung by organizational and data silos.

If you don’t start controlling data proliferation before a breach happens, you can spend a lot of money, time, and effort cleaning up the mess post-breach. It’s very costly to bolt the door after the horse has already escaped.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

We’ve very simple compared to the massive global organization I just spoke about. We’re still a relatively small business but growing quickly. And so, our needs are reasonably modest.

What we’ve found is that software providers are doing a lot to introduce monitoring capabilities into their platforms, which you can use almost out of the box. We use data and threat monitoring software, particularly mobile device management capabilities. What that lets us do is monitor the way our users interact via the platform and give signals and send warnings when needed. It also helps us identify potential risks so that we can respond to them and help us deploy policies to mobile devices, such as phones and laptops around our organization.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

I think you should take cybersecurity advice as soon as you lack someone who hasn’t been around the block before.

For me, it sounds obvious, but let’s not reinvent the wheel here. I think many, many organizations — I’d even go as far as say most — still have to get the basics straight. Look at the experience in your team and ensure you’ve got someone who’s done this before. Then make sure you don’t contract fast for the type of advice you already have on your team.

Don’t kid yourself that you can get it all from one person — because sure you can — but why would you? There are a lot of lessons to be learned from others.

The other point I’d make is a risk directory program. I talked earlier about the need for data mapping services and understanding what data you have and how that helps you set your risk appetite. That should help you target your efforts so that you don’t end up boiling the ocean. As I said before, “over the counter” software provides great utility for small businesses in that way.

Take advice as soon as you can to know when you need to change things up.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

I’d say if it feels wrong, it possibly — maybe even probably — is wrong. I watch people who call themselves “non-IT” types who when they see something out of the ordinary, or something that they don’t recognize, they assume it’s them that’s wrong. Even though they work in that pattern all the time, they assume it’s them. And so, the first thing for me is that if it feels wrong it probably is wrong.

I have an example where one of my team, a tester who, whilst being a very good tester, wouldn’t claim he’s especially technical. He saw some strange behaviors on his laptop, and it took him a while to put his hand up and share that there may be an issue as he had assumed that he was the problem. Once he notified IT, very quickly we were able to look at a link he clicked on which he shouldn’t have. We identified a virus, locked it down, and cleaned it up. That to me is the first one — if it feels wrong, it possibly is wrong. Share with your IT department — they want to help.

Another example I’d give is around email and phishing. Again, I still see people wrestling with this one. If the email looks different or you just get a sense that the email’s wrong, if it looks out of place, if the invoice timing isn’t what you were expecting, or if the request is some way unusual, no matter how fast you’re working, no matter how dumb you think you might be, you’ve just got to say something. That’s what I’d say to everybody — try not to be quite so precise about specifically the thing you’re looking for.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

It’s about being transparent. An organization needs to be transparent about any sort of breach — about the actual impact as well as the extent of the necessary cleanup. They need to be transparent to protect their future reputation.

Ensuring that customers and stakeholders understand the nature of the breach is also incredibly important. Only individuals can assess the nature of the impact on them.

It’s also important to confirm the nature of the breach and don’t assume anything. I know that sounds dumb, but just check the extent first, and then make sure you contain and isolate rather than tampering. I’ve seen lots of people who wade in, roll their sleeves up and say, “Oh, I’ll just log on and see what’s going on. Let’s use my admin rights and get in and see if I fix can it.”

Don’t do any of that. Preserve and gather logs. Make sure you get the evidence together and don’t do things like resetting passwords or logging on to breach machines.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA, GDPR and other related laws affected your business? How do you think they might affect business in general?

As I’ve said before, ActiveNav is a small, fast-growing business. Privacy measures have made us much more aware of the extent of our relationships with data processing. We use a vast network of services and providers. Making sure we go back and check those providers, big or small, has affected us — but in a positive way. We’re double-checking to make sure that we set an appropriately high bar for the handling of our employee and customer data. We’re also constantly asking ourselves if those data processing activities are necessary.

For organizations in general, it’s about getting to grips with their data estate and knowing their data. I can’t emphasize this enough.

What are the most common data security and cybersecurity mistakes you have seen companies make?

To build on my previous answer, its companies not understanding their data. Protecting your ingress and egress points, of course, are obvious and required, but these days understanding the nature of the data itself and how it’s being used is what’s important — butoften neglected.

You’ve got to make sure you protect your ingress and egress points, but make sure you understand what’s happening inside of them, too.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Fortunately, in my organization we haven’t. I think that’s because our organization was already used to working remotely and act in a very dispersed way by habit.

Repeating myself, I’m always thinking about how we reinforce the right practices, how to make people aware that even though working and home life are mashed together inexorably, we need to make sure we all know how to change modes and be disciplined.

I heard a great story about someone who, in this COVID world, likes to step out the door and walk around the block before they come into work each morning to get into the right headspace. And as funny as that sounds, I feel like those sorts of practices are important for getting your work “game face” on.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

First and foremost, assume you will get breached. It’s happened to us. It’s going to happen again. You need to put in place mechanisms that ensure that breaches can be handled as part of your business as usual.

Now, that doesn’t mean you should just accept it. But you need to make sure that you have a stance that is ready to respond rather than just one that’s on the shelf gathering dust.

Secondly, your IT systems are causing your employees to cope in a difficult IT environment. By design, cybersecurity always makes your employees cope with your technology and work around it. I’ve several examples of employees having to deal with complex password mechanisms so as a result, we find passwords on open files stored on corporate networks. All. The. Time. However well you think your mechanisms are working, your employees are doing strange things to cope with their lack of understanding of how it works.

For my third point, I’d like to compliment an analyst from Gartner called Debra Logan. She coined a phrase I love which is: “People and technology got us into this problem. Only people and technology will get us out of it.” She’s essentially saying that in this era of explosive data growth, you need people and technology to engage with data at scale to enact and sustain efforts.

Don’t just buy technology. Don’t just buy technology without including the people and processes that you need to make it successful. Buying technology and then not having the resources to be able to use it effectively is of no help to anyone. Always think “People. Processes. Technology.”

I think I’ve said this two or three times already — but I’ll say it once again. You now need to truly understand the reality of your data holdings and your processing. I lose track of the number of customers we engage with who have automated systems for gathering data, mashing it up and transforming it, and then dumping it on the network. Countless times we find large dump files with very personal data. Again, it’s an example of where people set up processes and don’t think about the implications. Understanding where your data is processed is critical.

On that point, data is a double-edged sword. Organizations think that they must keep all their data in case it adds value later. I’m convinced that data hoarding and keeping everything is far from the right approach. Organizations need to develop disciplines that enable them to actively triage the trash and all the data they no longer need because it just gets in the way of doing a good job of your cybersecurity.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Globally, we have a lack of tolerance and openness to ideas. People carry around assumptions and aren’t listening to each other.

I’m going to go back to a little tool I was given by a consultant in the Air Force, which I employ continually.

I listen and count to 10. In the past, whenever anyone would say something, I would jump in with my idea, and climb down their throat with the way I thought it should be done.

Today, I make sure I try to spend as much time as I can not saying anything and counting to 10 before I engage with my response. It could be 10, it could be 20, it could be overnight.

Pause, listen and count to 10. That’s my advice.

How can our readers further follow your work online?

You can find us at We’ve also got a great podcast you can follow called P3: The Project Privacy Podcast. Lastly, you can find me on Twitter — @RichardJHale.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...


    Lessons In Leadership: One On One With Lieutenant General Thomas Trask

    by Adam Mendler

    Bronze Star To Business, And The Lessons Learned Along The Way

    by Chris Quiocho

    Heroes Among Us: “Maintain a sense of humour” with Justin Paul, former Royal Engineers Bomb Disposal Officer & Marketing Director at Zeetta Networks and Marco Derhy

    by Marco Derhy
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.