Community//

David Lee Djangmah of #iTHiNKLabs: “Anything that doesn’t need to be kept, goes. It’s that simple”

Anything that doesn’t need to be kept, goes. It’s that simple. Because no one is 100% immune from hacking data security lapses. Not even top cybersecurity companies, government agencies or minds. Further to the above — and the devil is in the details — reduction of both attack surface and attack vectors to the point where it is pointless to […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.

Anything that doesn’t need to be kept, goes. It’s that simple. Because no one is 100% immune from hacking data security lapses. Not even top cybersecurity companies, government agencies or minds.

Further to the above — and the devil is in the details — reduction of both attack surface and attack vectors to the point where it is pointless to be targeted, apart from the fact that there isn’t much to hit or steal anyway, is the obsession more so than policy, that continues to dominate my approach.


It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?

As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Lee Djangmah.

Lee is an American security researcher, China expert, futurist, technologist, lawyer; business, disruptive HR strategist, and management consultant with 20+ years’ experience.


Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Raised by a single mother who often traveled abroad, I had a pretty busy childhood.

Long before Airbnb, when we weren’t hosting mostly European expats with me as the guide, I was often picked up to spend long holidays with influential total strangers and family friends. So, I learned the value of cognitive and genuine diversity at a very early age. Indeed, my observational, situational awareness, social, influencing, and closing skills were developed by age 7, when I was counseling seniors.

However, before emigrating to the Bronx and eventually graduating high school a second time in Vineland, NJ — while waiting to start Drexel University — I grew up five minutes walk from the Atlantic ocean and about ten from Fort Christiansborg in Accra, Ghana. So, holistic security, military defense and their intersection with politics were on my mind at a very early age.

That is why briefly being under covert surveillance after my big brother mistakenly crashed into a convoy of the then National Security chief was intriguing lesson, as I noticed a lot going on that everyone else didn’t. Even as the last of 3 boys.

Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.

Well, perhaps I have to thank one of China’s big tech, — for leaving me conflicted.

I was a full-time tech consultant and undergrad working with a disaster recovery and business continuity planning software leader back in 1997 when my security research passion led me to begin connecting the dots and predicting the outcome of an IBM collaboration I then viewed as naive; Cisco’s future, and growing Intellectual Property theft allegations against a Chinese tech giant a lot more in the news these days.

Cybersecurity was neither big back then, nor the intersection between strategic hiring (as I defined it), grey zone threats or asymmetrical hybrid warfare well understood or sufficiently tolerated in both Western academic faculties (law school in particular) and professional circles. Not even in 2016, when like Garry Kasparov, I was on NPR being rushed to teach Americans with short attention span, the simple concept of strategic deception having hailed Obama’s empty threats against Russia as U.S. Cyberdeterrence 1.0 in vain. But I digress!

In the end, I settled for a LL.M. (Master of Laws) in ① Intellectual Property & Information Technology Law ② Substantive Law of The European Union (& EU Competition Law) and ③ International Commercial Arbitration Law (Alternative Dispute Resolution), then consulting globally and operating from China for over a decade, after being headhunted there during my PhD.

Can you share the most interesting story that happened to you since you began your career?

See my “UNPOPULAR Strategic Reasons WHY China’s Economy Is Set To Overtake U.S. Earlier After COVID Fallout” in #iTHiNKLabs Episode 144. That, together with my strategic analysis of the 2021 Insurrection in #iTHiNKLabs Episode 146, along with COVID19, perfectly sum up the cost to a formerly reputed democracy, superpower, business, HR, individual, or family, of celebrating and normalizing dysfunction and digital distraction to the point where stability crumbles all around, and all that is left, is the ‘same ole’ TV ratings-focused reactive quarterbacking and personal branding so rampant in the U.S. today.

In other words, instead of the ability and discipline to heed warnings by its futurists, strategists, and security experts, pivot and self-correct much earlier on, in the West — what I found, analyzing from the perspective of an outsider — is, individuals, businesses, groups leaders and influencers accusing lamenting Trumpism share some of the same traits of recklessness, intransigence, and educability.

Hence, our scatterbrain society bleeding high quality talent, productivity, and competitiveness, is, more tragic than interesting to me.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Naming one particular person would be the height of ingratitude as practically every success I’ve achieved was made possible by loved ones, believers, doubters, and even haters in their own unique way.

Are you working on any exciting new projects now? How do you think that will help people?

Both my technology, business, consulting, and strategically focused #iTHiNKLabs Research Project and much older Open-Minded Community Project have been helping people, businesses, and leaders officially, since 1999, and keep me busy.

Collaborators and sponsors always welcome.

As in Confucian tradition, I’ve always acted or worked in obscurity and only after the deed (or success), spoken about it. So, to your question, and since I make it a point to not gloat over results, it’s often mainly collaborators and sponsors that often discover exciting projects I’m working on.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?

When it comes to data protection, everybody is your customer. From prospects, to clients, to your employees, supply chain, third-party risk, mobile and social media security risks. And your obligation to be a responsible steward of data is as ethical as it is legal.

However, mind you, effective data protection is first and foremost, counterintuitively, an HR function. Hiring risk mature professionals across the board should be ingrained in HR ethos the way strategic thinking and risk mitigation is, expert China expats will attest, is ingrained in Mainland Chinese culture, — in this case, as a means of organically building a risk mature business culture complete with human firewalls.

Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?

Data is so fragile an asset that smart and lean businesses focus on deletion. Not hoarding.

Further, “destroyed at a certain point” means, no longer than a month, if all. Which is why I’m known for disrupting HR pros (in the U.S. in particular) stuck on archaic data greed. As well as websites that burden users unlikely to return to their platforms — or in the case of LinkedIn, those breached several times — with conventional thinking having nothing to do with compliance.

Moreover, as mentioned earlier: Proof that compliance doesn’t prevent data breach is well-publicized. The ‘convenience’ and ‘functionality’ argument only worsen data greed, data monopoly and data dictatorship by organizations with nonexistent, elementary, or poorly throughout and executed IT security who think simply saying they ‘take security seriously’ gets the job done. Yet assuming risk intelligence because you can blab, doesn’t equal data security. And the reason I am pessimistic is because unlike the Mainland Chinese, in the West today, HR is broken, sales KPI-driven, as distracted everybody else; undervalues genuine diversity, and rewards short-term pragmatism. Which explains why instead of building robust risk mature culture against insider threats, APTs, and even teens like Graham Ivan Clark whose recent hack embarrassed Twitter, U.S. business continue to expose the selfsame broken business/HR culture that facilitates theft and breach of customer data at an increasingly alarming scale.

In the face of this changing landscape, how has your data retention policy evolved over the years?

Anything that doesn’t need to be kept, goes. It’s that simple. Because no one is 100% immune from hacking data security lapses. Not even top cybersecurity companies, government agencies or minds.

Further to the above — and the devil is in the details — reduction of both attack surface and attack vectors to the point where it is pointless to be targeted, apart from the fact that there isn’t much to hit or steal anyway, is the obsession more so than policy, that continues to dominate my approach.

Followers or readers of #iTHiNKLabs understand more than others that proactive security is the name of game. That, and staying ahead of trends. For example, Gartner Research which follows me, predicted years ago (2017 or so) that “by 2022, API abuses will be the most-frequent attack vector, resulting in data breaches for enterprise web applications.” And we’re already seeing that.

Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?

The way world-class VPN companies that are data privacy advocates practice “no-log policy.”

Unlike Jeff Bezos and Amazon, I take the approach that even where “you can take a punch”, it is reckless to be needlessly exposed. Think defensive Boxing legend, Floyd Mayweather Jr.

That is why I shamelessly advocate cash over credit, with data evidence to backup my advice.

So, while the enumerated policies and best-practices above and below validate, and in some cases, inform my data retention policy, in practice, we are talking about extremely lean data stinginess, — as an obsession more so than policy. Because data retention policies can be easily circumvented through sophisticated scams and business email compromise, all of which my Twitter covers.

As a big-picture problem solver, I founded Cool AutoSec and left sales to my former Chinese mentee. The same rational explains why I opt for ‘rented space’ and keep my personal blog and code nimble and local, than bear the burden of maintain a dedicated, secure website.

Again, “destroyed at a certain point” means, no longer than a month, if all.

HR pros in particular, as well as government and business websites need to wrap this around their heads: It is not personal. Just simply dumb to stubbornly think you can protect data and clamor for PII with punishing red asterisked fields that prevent applicants from clicking Next unless they fill them.

One British security agency inviting foreigners to apply requires a National Insurance Number (equivalent to the U.S. SSN) before clicking Next. Effectively killing applications long before data retention is even an issue, just because both HR and the IT expertise they rely on, lack foresight and risk maturity.

A rather daft way to bleed talent while going online to lament talent crunch or cyber skills gap.

Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?

Not particularly, so long as one is talking about the West.

Precisely because of the strategic, holistic readiness posture I bring to business, despite my training as a lawyer.

In the case of China, suffice it to say, businesses and leaders who don’t hire me, read #iTHiNKlabs, or follow me have been, and often are caught with their pants down, because there’s a lot to worry about and be prepared for, on an almost daily basis.

In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?

As a tech minimalist, I’d emphasize 3 counterintuitive cautions:

① Check your emotional attachment to tech as the answer to all security problems. It is not. Ask the Taliban, or data breach victims — from organizations with deep pockets to the world’s richest.

② Never be swayed by the wrong-headed assumption that security should be limited to data, network and systems. Or, that you are to avoid politics, etc. Nothing could be less naïve. Before COVID-19 morphed into a remote work security challenge for businesses, it was trivialized in the West as some political or at best, health security threat having nothing to do with tech.

③ It’s not tools, but people’s risk maturity we should invest in.

Risk maturity is what the Taliban, Chinese, and Russians bring to reactive, scatterbrain cultures like the United States’. It is based on tactical human creativity, which intuitively understands the limits of technology and always seeks to leverage it.

U.S. businesses need more risk maturity than (mature) multi-billion dollar IT security systems and tools that do nothing to avoid America’s increasing intelligence failures. And Kevin Mitnick agrees.

There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?

No. And precisely for the reasons already addressed.

Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)

Please refer to my initial answer including the above.

Storytelling is built into my publications. And those who take the hypertexts and hyperlinked images seriously, study them, or engage me, glean the most. For everything else, I’m flown in for consulting.

Critically, I’d repeat, progressive, truly open-minded, well-run businesses committed to staying ahead of the curve are not simply following the crowd like the 97% (above). Instead, they are gleaning invaluable insight from a diverse pool of security technology minimalists like myself — who focus on human assets as a better data security foundation than wasting millions or billions of dollars on tech that does not protect customers — as well as taking data ethicists seriously. From employees to leaders and CEOs working from home or not, these comprise the silent practitioners and disseminators of cybersecurity fundamentals, as well as avid readers of every episode of #iTHiNKLabs.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

It’d be everything The Open-Minded Community and The #iTHiNKLabs Research Project does.

Anyone determined can seek out and read high quality, life-saving, life-enhancing content. Those who wait for celebrities, decorated media outlets or friends to make them aren’t my niche.

How can our readers further follow your work online?

❶ https://about.me/SecurityFirst

❷ https://twitter.com/B2Spirit_TT

You won’t find me on LinkedIn. Not without my help. Why? Social Media Security.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!


    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...

    Community//

    Kate Kliebert of Kliebert Law: “

    by Jason Remillard
    Community//

    “Everyone doesn’t need to know”, With Jason Remilard and Stacy Eldridge of Silicon Prairie Cyber Services

    by Jason Remillard
    Community//

    Pieter VanIperen of PWV Consultants: “Treat all sensitive data like it’s your own”

    by Jason Remillard
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.