Make Security Invisible: the best security is seamless and invisible to the end-user. Take advantage of the security things people are already using like fingerprint and face unlock. Allow people to authenticate via their company email address. These things add security without putting the burden on the users.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Ruben Ugarte.
Ruben Ugarte is a Data Strategist at Practico Analytics where he has worked with over 70+ companies from 5 continents and all company stages to use data to make higher quality decisions. These decisions helped companies lower acquisition costs, save hundreds of thousands of dollars and reclaim wasted time. He also maintains a popular blog that has been read by over 100,000 readers. In his free time, you can find him dancing or trying to learn something new.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Thanks for having me! I grew up in two worlds: Honduras and Canada. My family left Honduras, in Central America, when I was 12 and moved to Vancouver, Canada, where I currently live. I spent enough time in each country to understand it’s differences and similarities. My time in Honduras taught me about hard work and family while my time in Canada taught me how to think about my career and life. I also learned that sometimes you’re just lucky. I was lucky that my parents were able to make the move which opened up several opportunities that wouldn’t have been possible if I had just stayed in Honduras.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I was always fascinated by technology. I spent a good chunk of my high school life teaching myself how to code and trying to build websites and products. I was endlessly entertained by everything that you could do online. This naturally led me to doing freelance work at a young age. When I was 23, I discovered the world of data and cybersecurity. Companies were sitting on metaphorical gold with their data but they weren’t sure how to guard it. Unlike gold, data was invisible and could easily be lost or leaked. I shifted my work to helping companies mine this gold for insights while also helping them protect it.
Can you share the most interesting story that happened to you since you began this fascinating career?
One of the most interesting stories happened this year, 2020. Like many of us, I was taken back by the COVID-19 pandemic. Most of my work stayed the same but I was then invited to work with the provincial government on a COVID-19 related project. I was asked to help the provincial Tourism agency sort through all the data they had and figure out how to visualize it and share it with their stakeholders. This work was crucial because their stakeholders were companies like hotels that were significantly affected by the pandemic. The dashboards that we end up creating helped these companies understand what was going on in their industry and how they should proceed further.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I would have to mention my parents here. They instilled the entrepreneurial spirit in me through their actions. My Mom has owned several businesses throughout her life including a clothing shop back in Honduras. My Dad used to own a manufacturing parts business as well. They always showed me that it was ok to pursue your own path even if it wasn’t that clear what you wanted to do. They also supported me emotionally as I went through the common struggles of starting your own business.
Are you working on any exciting new projects now? How do you think that will help people?
As I mentioned above, my work with the tourism provincial government in the pandemic has been quite interesting. This work itself is also the beginning of a longer project. The pandemic is far from over and there’s a lot of work to figure out how to help an entire industry survive while travel regulations are still in place. Even after people are able to travel, we’ll see shifts in how people want to spend their vacations and money. This is an uncertain time for this industry but also exciting because of the possibilities.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Find ways to recharge on a regular basis. Take the afternoon off on a Friday and go for a movie or walk with your family. Plan long weekends to nearby destinations. It’s not enough to take a couple of weeks off per year and then go at 100% the rest of the time. You need to find ways to recharge every day. This is what makes careers sustainable over 40–60 years.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
This is a fast-changing industry and there 3 trends that I think readers should know about. First, cybersecurity is quickly becoming a high priority for many companies. It isn’t just “something IT wants to do”. It’s something that everyone needs to embrace because the repercussions of ignoring it are too great. Second, cybersecurity is becoming a global endeavor. The threats aren’t just local actors but could be anyone in the world. Third, our knowledge as consumers is increasing which leads to higher expectations are work. We are becoming more aware of the data that we create and why it should be protected. Data isn’t an abstract concept anymore. It’s the personal photos on our phone or our search history.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Companies need to focus on 3 existential threats. First, privacy is a big deal. Laws like CCPA in California and GDPR in Europe are imposing hefty fines on companies who violate these laws. Companies can’t just track everything they want without thinking of how they will protect this data. Second, companies need to train their employees on how to recognize cyber-attacks. You may have the best technical security in the world but if your people are opening emails without unknown files, you will always be underwater. Third, companies need to make it easy for their employees to stay safe. You can’t expect people to follow security guidelines that make their work harder to do. I have seen companies that enforce VPN usage, a normal request, but then the VPN itself is unreliable they are unable to check their emails or files.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I was working with a client that loved to use data. Everyone in the company knew how to work with the data and visualize it on their own. The issue was that they didn’t have the right software tools for doing this. This led everyone to export the data into Google Sheets and their own computers. Sensitive data was available in hundreds and thousands of files and no one knew exactly how much. We worked together to understand what they needed in a data visualization tool and implemented one. Everyone slowly transition away from the spreadsheet into a software tool that had the right security controls and permissions.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
In my work, I’m primarily focused on helping companies secure their data. The list of tools that I use on a regular basis are:
- Chrome Developer Tools: this allows me to track down errors in how data is collected on the client-side.
- Excel: whenever I need to run a deeper analysis, Excel is the go to tool.
- DNS Propagation: there’s cases where we need to make DNS changes for databases and this tool helps me see how the changes are propagating.
- Webhook Tester: this tool allows me to check the integrity of webhooks and how data is being passed through from point A to point B.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
This all comes down to size and consequences. Smaller companies will be forced to use over the counter software because their needs aren’t as complex. For example, a 20-persons startup has minimal concerns about being hacked or attacked. Their budget also doesn’t support a dedicated CIO or an agency. As a company gets larger, the surface size of potential attacks increases. You now have more employees with different levels of data access and more ways in which things could go wrong.
Consequences, on the other hand, refers to what kind of data you’re storing. If you’re a software company that offers marketing tools, you might not have as much sensitive data as a cryptocurrency company. The higher the consequences of data leaks, the more you need to invest in professional support.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Data leaks can be like rotted wood. You may not see it but if you don’t proactively look for them, it will lead to foundational issues. Companies should look for 3 signs that a data leak happened:
- Unusual data requests: if you see large downloads or downloads that took place at unusual times e.g. 3 am, you need to investigate further. You might be seeing someone do a data dump from a different country and time zone.
- Unexpected errors: sometimes hacks will also cause weird errors in your product or website. These errors might be visible in specific locations.
- Increased usage from specific people: since leaks sometimes happen through specific people, you want to be aware if someone dramatically starts using their account to access data or services.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
First, get legal involved. Data breaches can be legal nightmares and it’s never too early to start thinking of legal repercussions. Second, establish a small team that can investigate the cause of this data breach. You need the right answers before you go public to understand the full scale of the breach. Third, prepare a communication plan for how you will share this with the public and your customers. Think through the questions and concerns that you might receive and how to best handle them. Breaches are the worst-case scenario but you can survive them with the right actions.
These laws are putting privacy front and center for many of my clients. It’s not enough to just track all the data that you want and hope that everything turns out fine. Companies need to proactively think through how to protect their data and who should have access to it. Initially, only global businesses will be affected by these regulations. Over time, we’ll see standard data privacy guidelines apply to every business just like we see right now with website and employee security.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The first mistake is ignoring this are altogether until a “better time”. There isn’t a perfect time to implement cybersecurity guidelines. The second mistake expecting conditions to be perfect. Your security only works if everyone works from the office or your security is fine as long as people are only accessing data from their work computers. The third mistake is thinking that you can design your security plan once and forget. The people who want to leak your data are constantly thinking of new ways to attack and you can’t expect that your initial security implementation will be able to sustain all new attacks.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, the increase in remote work has forced companies to level up their security. They can’t physically see their employees or expect them to only work from the secure company WiFi. Companies need to think about all the places that someone might work e.g. at home, a coffee shop, outdoors, and determine how to best protect them and the company. While this is still the early stages, I think we will see an increase in remote work security best practices for all companies.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
While the list of things that companies need to know could be endless, here are the 5 most important ones.
1) Privacy First: build privacy into your data strategy from day 1. This is might require more resources in the beginning but it will be easier over the long term. Practically, this means that you know exactly who will access your data and how this access will take place.
2) Best Defense is Offense: don’t try to only do security by obscurity. Face the light and determine what kind of attacks your company could expect. You can then design a security plan based on that. A client of mine was trying to figure out how to secure their most sensitive customer data. We created different levels of permissions, each with their own security protocol. We then trained the employees on how to best access data while staying secure.
3) Expect Remote: companies and employees are going remotely and so should your security program. Assume that employees will try to access data from anywhere in the world and from multiple devices. Build a program that takes this into account.
4) Make Security Invisible: the best security is seamless and invisible to the end-user. Take advantage of the security things people are already using like fingerprint and face unlock. Allow people to authenticate via their company email address. These things add security without putting the burden on the users.
5) Get Out of the Way: don’t let security drag down the company. If you want people to use a VPN, ensure that you have a reliable provider that won’t go down on a regular basis. This is what kept happening to one of my clients and it was incredibly annoying. They would actually tell me that they couldn’t work right now because the VPN was done.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Empathy over facts. We are seeing an increase in people who get dismissed because they don’t know the “facts”. The issue is that the facts are lost in the noise of our current world. Instead of ignoring someone because of their political beliefs, we should strive to have empathy. Understand where they are coming from and we’ll realize that we are all just doing our best.
How can our readers further follow your work online?
They can read my blog at https://practicoanalytics.com/blog and they also subscribe to my weekly newsletter, the Growth Needle, read by 1,500+ executives and growth leaders from companies like JP Morgan, GE, Oracle, Samsung, Apple, and the American Red Cross here: https://practicoanalytics.com/practicos-insight-of-the-week/. They can also follow me on Twitter @ugarterd
This was very inspiring and informative. Thank you so much for the time you spent with this interview!