Know what data you have and its relationship to your business (Inventory, identify)
Know where that data is stored! Does your Jr. accountant have a spreadsheet of passwords and credit card information sitting on their desktop.
Know who has access to that data (and should they have access permissions?)
Is that data still relevant or should it be disposed of?
If that data is critical, is it being backed up? Who has access to backups?
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Steven Kent.
Steven Kent, Chief Technology Officer, of onShore Security is an expert in secure network design and policy, with over 25 years of experience helping businesses implement technology solutions. Kent has been involved with the internet since the very start, helping to create its policies, serving as sysop for several mid-western BBSes in the ’80s, working in the ISP and Telecommunications space, developing his own business, and joining onShore in 1999. An expert in secure network design and policy, Steve is specialized in the design and implementation of wide-area network solutions for clients with branch locations.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in rural Indiana, outside of a rust-belt city. My first forays into computers were surreptitiously getting access to the local university computer system to get onto the forerunner of what would become the internet.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
Not one thing in particular, no.
Can you share the most interesting story that happened to you since you began your career?
I have many interesting stories that have happened during my career, but unfortunately due to the nature of the work, I can’t share them.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are a lot of people who have helped me along the way, friends, partners, employers. It would be hard to pick out a particular person.
Are you working on any exciting new projects now? How do you think that will help people?
We’re actively working on improving heuristic and machine-learning systems that are designed to help us baseline customer network traffic and network access, in order to more easily detect anomalies and empower the analysts to identify potential breaches or policy violations, quickly and efficiently. That’s one of the things we’re actively working on that I’m excited about.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
We’ve all been in that position. One thing you need to do is to be comfortable taking a break now and then. A break gives perspective on whatever problem you’re working on.
I also think you need to rely on your team. Don’t think that you, as an engineer or security person, need to be the only one to solve every problem. There is a long tradition in this industry of the “lone hacker” who fixes everything themselves. That tends to create a lot of burnout. People can burn out in 2–3 years because they try to do everything themselves. Build a team, rely on that team.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
There are a lot of factors here. It depends on where you’re located and what type of data you’re talking about. Broadly, there are three types of obligations: legal obligations, business obligations, and ethical obligations. Ignoring any one of those can get you into trouble. We’ve seen changes in state regulations, of course. In Europe, there is GDPR. I think the US actually needs more regulations, but that’s me. It’s a complicated question.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Yes. A good practice is that if customer data no longer serves a useful analytical purpose, it should be destroyed. If customer data can no longer be secured, it should be destroyed. In both cases, it should be destroyed according to whatever your secure data destruction policy sets. A secure method which takes into account the storage medium and recovery possibilities. .
In the face of this changing landscape, how has your data retention policy evolved over the years?
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
The first step in designing data retention policies is to categorize what kind of data you have. Not all data is created equal. Within our organization, we classify data into 5 categories in relation to our business. Business critical, business sensitive, informational, public, and unclassified. Each one of those categories has a specific storage, retention, and destruction policy. Your policy is not just informed by the data you have, but also by the relationship it has to your business and your customers’ business. Some information, like contacts, may fall into a business sensitive classification. Know your data, know how it is housed, and then you can work on retention policy. For us, business critical client data that is primarily analytics or metrics has a minimum retention policy of one year. Other information might have a retention policy of 3 years, depending on classification. Overall, our policy is one year unless it’s cached data, in which it would have a much more limited lifetime, often destroyed right after creation.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
We’ve always tended to exceed legislative and regulatory requirements, so I can’t think of legislation that has affected us at onShore. I can’t think of any impending legislation that would negatively affect us. I’m actually a proponent of better data security legislation, as well as an American answer to GDPR. I don’t think it will happen, but I think it needs to happen.
In your opinion, have tools matured to help manage data retention practices? Are there any that you’d recommend?
I think we’ve seen a vast improvement in the past 5–7 years in guidance in policy around data retention and that’s much more important than any piece of software or tool. At the end of the day, it’s your organization’s internal governance that will determine your ability to manage data.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
At our organization, no. We believe strongly in maintaining control of our data within our own infrastructure. The cloud offers a lot of great opportunities for scalability and efficiency, but it’s not a panacea. The cloud often requires a greater amount of security concern than one would need with their own infrastructure. The cloud is not inherently secure, it requires a lot of work (and monitoring) to secure it properly.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Know what data you have and its relationship to your business (Inventory, identify)
- Know where that data is stored! Does your Jr. accountant have a spreadsheet of passwords and credit card information sitting on their desktop.
- Know who has access to that data (and should they have access permissions?)
- Is that data still relevant or should it be disposed of?
- If that data is critical, is it being backed up? Who has access to backups?
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Within the industry, my movement would be to be suspicious. Within cybersecurity, everyone, from malicious actors to vendors are all trying to push the easy solution. Phishing and sales speak a lot of the same language and play to similar feelings. Be wary of any “easy” solution. Real technical problems rarely have simple solutions. Humans are complex creatures, and you can’t change human nature with software or by chastising them for security mistakes. There is a constant tension between human operations and security, and we always need to seek improvement. Thinking you can skip ahead of that process by just buying software or hardware won’t work. It requires constant work, vigilance , and human interaction.
How can our readers further follow your work online?
I occasionally post on Twitter at @Mr_Steve64 and I’m on LinkedIn at https://www.linkedin.com/in/stevenkentcto/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!