…If you don’t need it, don’t keep it anymore. We said earlier that just because you can collect data super easily doesn’t mean you should. Well, the same applies here. Just because it’s cheap enough to save everything forever doesn’t mean you should. The more data you have on hand, the more potential for exposure. Once you’ve decided you don’t need a given subset of data anymore, destroy it. Every time you purge data that you no longer need, you eliminate the possibility of that data ever being compromised.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Justin Dolly, Chief Security Officer at Sauce Labs, where he oversees the development and implementation of the company’s long-term security strategy, ensuring its customers have the highest level of protection to support their digital goals. He is a certified Chief Information Security Officer (CISO) with more than 20 years of experience in building and implementing a culture of security within global organizations.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was encouraged early on to be curious and have a healthy work ethic, and those are things that have helped steer me throughout my life and career. If you’re a curious person by nature, and I always have been, there’s a pretty natural connection with security, where there’s a never-ending array of things to explore. I grew up in Ireland and being in Ireland in the early 80s, there was a big focus on technology. A lot of technology firms were opening up offices across Europe and in Ireland specifically. Technology and talk of technology were just always in the atmosphere, and it kind of enhanced and focused my natural curiosity in that direction. So, growing up at that time in that place has a lot to do with what I do today and what I’ve done for the last 20+ years. I was fascinated by understanding how the technology works, especially under the covers, and I still am today.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
There’s no one particular story, per se, but I grew at a time when more and more technology was coming into people’s lives seemingly every day, and I was just always interested in learning more about how it works and what’s going on behind the scenes to make it work. When I was in high school, video games were exploding onto the scene and while everyone else was playing them, I found myself less interested in what you were seeing on the screen and more interested in understanding how the technology was making it possible. If you think about it, that’s really what security is all about. It’s about not taking anything at face value and understanding what’s going on in the background.
Can you share the most interesting story that happened to you since you began your career?
One of the unique things about a career in security is that the most interesting stories you have are stories that you can’t share. You’re dealing with a lot of sensitive issues and you get exposed to many, many interesting things that you just can’t talk about. But when I look back at many of the most interesting things that have happened in my career, if there’s a common thread that seems to run through most of them, it’s that they take the form of a crisis, at least in the eyes of the company experiencing the situation. Security is repetitive and monotonous and happening in the background until all of a sudden, it’s not. And when you’re faced with a crisis, that’s when you find out about people — who they are, how they handle adversity, how adept they are at finding solutions. You learn a lot about people in this line of work and it’s one of the many things that makes it so interesting and keeps you coming back.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I had the good fortune to work with a gentleman named Robert Urwiler back in the early 2000s at Macromedia. I was still relatively early in my career and Robert was our CIO. It’s not that he was a mentor for me necessarily, but he was the type of person from whom one could learn so much just from observing and being around. He had a calm, thoughtful, and diplomatic way about him. So much of being a technology leader, whether you’re a CIO or CSO or any position where you’re responsible for the well-being of the systems that power your company, is about being able to stay calm and clear-headed when emotions are running high. When a system is down or there’s been a security breach, that’s when you need calm and clarity. Robert never let the moment seem too big no matter what it was or how others around him were reacting. Seeing someone lead that way was a formative experience for me and it’s something I still to this day try to model and emulate.
Are you working on any exciting new projects now? How do you think that will help people?
One of the things I’m most interested in and one of the reasons I was so excited about coming to work at Sauce Labs is the symbiosis between testing and security. I remember when I first took the job here, people kept asking why I went to a testing company if I’m a security guy. But if you think about it, testing is exactly what security people do. We test and assess vulnerabilities and potential risks. And that’s exactly what developers using the Sauce Labs platform are doing. What we essentially do here at Sauce Labs is provide development teams with quality signals, and I think there’s a real opportunity to provide security signals to those same people. And what’s interesting is that quite often when a security team uncovers an issue or a vulnerability, they’re not the ones that fix it. They pass that information back to the broader IT or development team for remediation. So, the prospect of providing security signals to developers early in the pipeline as they’re developing code would improve the quality and security of the deployments that they’re about to make. The ability to proactively solve potential security issues is very much the silver bullet for security, so that’s something I’m excited about moving toward.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Security people have a saying that the only time we’re ever off is between jobs. The risk of burn-out is real if you’re not aware of it and proactive about managing it. That’s why I always encourage my team and other professionals in the space to take your time and pace yourself. When you join a new organization, especially in a security leadership role, you discover a lot. Your default posture tends to be that I need to find and fix everything right now, and while there’s nothing wrong with feeling that way, you have to understand that you can’t do everything all at once. Take your time and do things step by step, and that’ll help reduce the potential for burnout. In the same vein, don’t feel like you have to change everything immediately or all at once. Organizations usually aren’t ready for rapid change and if you’re trying to change everything all at once, you’re going to meet resistance and that contributes to burnout. Pace yourself and take your time.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
The specific legal requirements around protecting data and private information are more expansive and detailed than I can outline here, but the guiding principle for every company that collects private information should always be to do the right thing and follow the law. Don’t try to get cute and come up with creative ways to circumvent it. Integrity is a valuable commodity in security, and you have to protect it. So, follow the law, first and foremost. Beyond just laws in the strictest sense of the definition, standards matter in security. Standards such as SOC2, for example. They may not be written into law, but they’re things every organization and security professional should aspire to meet. It’s important to understand what those de facto standards that govern your particular industry are and be doing everything you can to meet them. Again, they’re there for a reason.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
It’s important to keep in mind that if you’re gathering customer information, the security team isn’t the only one that has access to it. Product teams, engineering teams, marketing teams, maybe even HR and operations teams. You have to make sure it’s being gathered in the right ways, stored in the right ways, classified in the right ways, protected in the right ways, and then destroyed in the right ways when you don’t need it anymore, and that process of doing the right thing throughout that data’s entire lifecycle has to be understood by everyone in the company, not just the security team.
One of the best practices I learned early on and still think is as relevant today as ever is don’t gather what you don’t need. Engineers, marketers, app designers, you name it, they tend to want all of the data. The more data the better. They want as much detailed data and metadata as they can get. But in most cases, you don’t need everything you’re collecting. So, I’m always asking teams if it’s really necessary to gather everything they’re gathering or if there’s a way we could live with gathering just a smaller subset of that information. Because here’s the bottom line: if you don’t gather it, you can’t lose it, you can’t expose it, and you can’t misuse it. If you don’t need it — really need it — don’t gather it.
In the face of this changing landscape, how has your data retention policy evolved over the years?
The simplest way to answer this is to say that it’s evolved with the law. As I mentioned earlier, laws are there for a reason and it’s our job to evolve to follow them.
One thing I have observed is that as storage has gotten cheaper and the ability to record things has gotten easier, companies are keeping data longer than ever, if not forever. I don’t think we’re purging emails from mailboxes, for example, the way we did earlier in my career. That’s been an adjustment for me because as a security professional, I love deleting things. I love purging things. I like switching things off and decommissioning systems because it makes my job easier and makes it easier to safeguard privacy. But the pervasive approach in the industry nowadays is to keep everything forever, which is again why I say that if you don’t need it, don’t collect it because chances are, you’re going to keep it around for a long, long time.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Without going into too much detail, we focus our efforts around making sure we’re classifying data the right way, retaining and storing it the right way, not gathering any unnecessary information, and above all else, using both the law and the established standards of the industry as our guide. I don’t care who you are or what the specific language of your policy looks like, if you’re doing those things, you’re acting in the best interests of your customers.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
Certainly, we can look back to GDPR. That’s something that’s impacted everyone. If you’re in Europe, if you do business in Europe, if you have customers or employees in Europe, it affected you. It’s affected almost every business in the world and the penalties are real. They are absolutely real. We’re talking about millions of dollars in potential fines up to potentially being prohibited from doing business in Europe. We’re at a point where everyone’s pretty much got their hands around it now, but it was a real scramble those first few years and the impact was and is significant.
In the US specifically, I don’t see a national or federal privacy standard on par with GDPR coming any time soon, but I do think the California Consumer Privacy Act (CCPA) is something that’s already had a wide-ranging impact and is something we’ll likely see more states and municipalities using as their minimum baseline in enacting similar legislation that grows incrementally more stringent as each new law is enacted.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Cloud has changed things, for certain. Virtually all of our information is now in cloud environments and it’s more portable than ever before. Because of that, there are some really exciting tools being developed out there around how you manage data, where it’s being stored, and how you allow it to move. One startup out there that’s caught my attention is a company called Open Raven. They have a solution that immensely enhances your ability to understand where your data is across cloud environments, who has access to it, whether it’s encrypted, and when it moves. We use their tool here at Sauce Labs and it’s one I’d recommend.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
The big one on everyone’s mind right now is the SolarWinds hack that came to light in December and highlighted the need for companies to get serious about enhancing their supply chain security. Supply chains are not new, of course. What is new is how expansive they’ve become. Companies have become
increasingly reliant on SaaS apps to manage just about all aspects of their infrastructure. That certainly delivers gains in agility, resiliency, and efficiency, but it also leaves you more susceptible to whatever vulnerabilities exist within your supply chain. So, it’s time to get serious about doing discovery, about making sure you’re using the latest versions of our open source tools, about implementing vendor risk management as part of your procurement processes, and about setting your internal systems up such that you can pull the plug on a compromised vendor without bringing the rest of your business to a halt.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
I’d start with the same concept I talked about before. Only gather what you need. If you don’t need information, don’t gather it. Because if you don’t have it, you can’t lose it, and you can’t be exposed. It’s become so easy to collect and store data now that I think in a lot of respects we’ve stopped asking if we need it in the first place. So that’s the first thing.
The second thing, again, is to let the law be your guide. If you have that honest discussion with yourself and your team and you’ve decided that yes, we do need to gather this data, make sure you’re gathering it lawfully. The absolute best way to protect both your company and your customers is to follow the law.
The third thing I’d say is to be rigorous about classifying your data, understanding the sensitivity and risks associated with data, and designing your security controls accordingly. Not all data is equally valuable or sensitive. Exposing sensitive customer or employee data is orders of magnitude worse than exposing telemetry data detailing the performance of one of my applications. I don’t ever want to expose either, of course, but in one situation you walk away from it unscathed and in the other, you’ve potentially opened yourself up to significant fines and legal liability on top of untold damage to your brand. So, understand what it is you’re collecting and wrap the strictest security controls around the most sensitive subsets.
Fourth, make sure you restrict access and permission. The fewer people touching sensitive customer information, the less chance you have of someone making a mistake. Only people who need access to a given data set should have access to it. No one else. Only people who have permission to move a given subset of data should be able to move it. No one else. Only people with permission to decrypt sensitive data should have the ability to decrypt it. The same way that collecting less data to begin with reduces your risk exposure, so too does limiting the number of people who can access and interact with it.
Lastly, if you don’t need it, don’t keep it anymore. We said earlier that just because you can collect data super easily doesn’t mean you should. Well, the same applies here. Just because it’s cheap enough to save everything forever doesn’t mean you should. The more data you have on hand, the more potential for exposure. Once you’ve decided you don’t need a given subset of data anymore, destroy it. Every time you purge data that you no longer need, you eliminate the possibility of that data ever being compromised.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
One thing that I don’t think we as a society do well enough is protect our kids as they adopt technology. It’s an area where we’re collectively deficient right now; educating younger people on how you leverage technology, how and when it can be good for them, but also how and when it can be dangerous for them. Children have a natural inclination to think that everyone and everything is inherently good. It’s our job to find more constructive and educational ways to teach them that lots of bad things happen on the internet too. And now we find ourselves in a situation where lots of children were forced to adopt technology before we as parents were ready for it. There’s some software out there that’s trying to move in this direction but we’re still very much in the early stages here and largely unprepared for the massive influx of young users that have been created by necessity. We don’t yet have a framework for allowing young kids to adopt technology, whether that’s for distance learning purposes or some other good purpose, in a genuinely safe way. I’d love to see us start making progress in that direction.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!