There are the computer aspects of the system, where semi-automation and a closed system tighten up the company’s data privacy and cybersecurity implementation. What I mean here is that the use of an AI platform and models enables companies to comply with the numerous regional directives protecting consumer and personal data. This type of appliance scans various enterprise data lakes (and other data sources) for types of data, and PII specifically, as defined in the data protection directives. It then applies remedies per the directives. Because this system is programmable, changes in policies or directives are easily adopted into the AI model’s framework. This results in the ability to retrain the system and redeploy the updated solution in a matter of days.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity,” I had the pleasure of interviewing Robbert Emery. He is responsible for commercializing NEC Corporation’s advanced technologies in HPC and AI/ML platform solutions. In his role as director of technology marketing and business development for NEC’s technology commercialization accelerator, NEC X Inc., in Palo Alto California (https://nec-x.com/), Robbert helps clients solve their data privacy needs to be in compliance with enforceable data privacy regulations that include GDPR (General Data Protection Regulations), the CCPA (California Consumer Privacy Act), the ACCC CDR (Australian Competition & Consumer Commission Consumer Data Right), and similar enforceable regulations.
His career spans over 20 years in the ICT industry’s emerging technologies, including mobile network communications, embedded technologies and high volume manufacturing. Robbert has an MBA from SJSU’s Lucas College and Graduate School of Business, as well as a bachelor’s degree in electrical engineering from California Polytechnic State University.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Lakewood, Washington, in the ’70s and ’80s, not too far from where Microsoft launched the MS-DOS operating system. During that time, when I was discovering what I wanted to do for a career, I took an interest in my friends’ parents’ careers. One thing I knew for sure, at that time, was that I didn’t know what I wanted to do. However, in the late ’70s, as my neighbors started bringing home Altair and Apple II+ personal computers, I discovered I had a natural interest in electronics and technology, as well as the science that made computers possible. While I didn’t know precisely what I wanted to do, nor was I interested in trying to rush into something, I decided to fulfill a civil service obligation and volunteered my time to the U.S. Navy. During my time in the Navy, I had the unique opportunity to visit many countries and experience the amazing differences in cultures and values. It is precisely those experiences that have guided me in my career.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My career in the information and communication technologies (ICT) industry followed a couple tours of service in the U.S. Navy, where we used long distance radio frequency signals to communicate between ship and shore, and my studies in digital communication theory at California Polytechnic State University, San Luis Obispo. While I was in the Navy, and visited several countries, I saw firsthand the differences in quality of life between neighboring provinces and cities. In some cases, I understood the differences were simply because the infrastructure development had not yet reached a community. However, in other cases, I understood the differences were due to the intentional suppression of entire communities. Whether my understanding was correct or not, it left a lasting influence on my career decisions, and how I view the need for protecting individuals’ and organizations’ digital information and means for transacting with digital communication.
Can you share the most interesting story that happened to you since you began this fascinating career?
The most interesting revelation emerged as a result of changing career directions, in the form of joining a new product team. It just so happened that I was transitioning from wireless communication products to optical communication products; the lingo is different but the concepts are quite similar. The revelation for me was that we only know what we know, and there is a whole world of unknowns out there. Keeping an open mind and willingness to learn (and do) opens unimaginable opportunities.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
That certainly cannot be emphasized enough. I have had help from so many people along the way. I would like to mention each and every person who has helped me in my career, but one person who has been particularly motivating is my brother, Vaughan Emery, who preceded me in the ICT industry by 10 years. In fact, as a serial entrepreneur, his drive and focus, as well as the energy he has put into products, have made a significant contribution to the industry’s forward momentum. Let me add a bit more meaning to the type of help he has been and continues to be. Vaughan has had a long career on the software side of technology, while I have focused primarily on the hardware side. You might imagine the type of heated debates we have during our Thanksgiving get-togethers. When it all comes together, the right combination of hardware and software makes for the most robust solutions in cybersecurity, and doers get it done.
Are you working on any exciting new projects now? How do you think that will help people?
Yes; the project I’m currently working on is an example of the great combination of hardware and software, in the form of a much-needed solution in data privacy. It uses AI algorithms to execute data privacy models using a weighted rules engine, based on federally mandated directives. This is a semicustom solution built on advanced data accelerator processors that lowers enterprise costs when compared with fully custom solutions. This will help enterprises secure personally identifiable information (PII) that is regulated and enforceable by federal laws. Additionally, because this is an AI solution, changes made to privacy directives, laws or personal privacy statement selections can be updated in the solution’s data privacy model and deployed across any organization in as little as one day. Once the data privacy model is retrained and deployed, it can be instructed to rescan the enterprise’s entire data lake for compliance.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Individual burnout is a real problem that many organizations recognize, and more are becoming aware. In the last four years, I started a three-step approach to avoid burnout and thrive in my work. First, I diligently schedule time on my calendar for exercise. For me, it’s mainly a 45-minute walk or some deliberate body movement with weights. Second, in all my activities related to work, whether having a meeting with others or just working on something individually, I ask myself, and answer to myself, “How does this add value to the team’s objective?” This gets me focused and lets others know that I’m not there just to fill up time. Third, the time I have accumulated for vacation and PTO is provided by the company to refresh myself; and I use that time to be completely away from work to take “deep breaths” and get myself back into a natural, sustainable rhythm.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The data privacy and cybersecurity industry is one of the fastest-paced industries in ICT. It lowers barriers in attaining higher quality of living, and is one of the enablers for digital transformation in the workplace, as well as in our personal lifestyles. Digital transformation has been happening for the better part of half a century, depending on who you talk to. It wasn’t until after the “Telecommunications Act of 1996” was signed, and the dot-com bubble, when the internet went through its initial business correction cycle between 2000 and 2003, that digital transformation really started to pick up speed. However, I think we can all agree that since the emergence of social media in early 2000, PII data had been handled in a cavalier manner. Policies, oversight and accountability just were not in place. PII data wasn’t the only loosely protected asset; corporate data also became highly targeted by cybercrime.
With the increasing severity of data leaks and misuses that have happened since 2006, when 17 million records were stolen from a large telecommunications company, corporations, governments and individuals have taken a step back to reconsider data privacy and cybersecurity practices. In fact, due to the mounting threats and costs caused by such data leaks and misuses, we have all lost something in terms of ICT setbacks. Just a few of the many examples include the delay in the widespread availability of safe and low-cost transportation that autonomous vehicles could offer, and potential savings in cost and loss of life offered by connected IoT devices such as fire and emergency sensors. There are many more examples of technologies that could significantly improve the quality of life for billions of people around the world, but sadly, they have been set back by perhaps tens of years due to security concerns. Now, with the emergence of data privacy and cybersecurity policies with meaningful compliance motivators, corporate leadership teams are stepping up their efforts to find ways to offer new and exciting products that address quality of life limitations for entire communities around the world.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Indeed there are. I think it starts with looking at the threats to productivity. Let me drill down a bit on what I mean by that. During the digital transformation era, I’ve observed several shifts in legitimate corporations’ operational and sales philosophies; and more recently, deliberate malicious behaviors. These shifts include: 1) changes in the “storefront” — how products are viewed and sold; 2) accumulation of digital assets and products; 3) accumulation of subscribers and social media followers; 4) targeted advertising; 5) phishing and spamming; and 6) ransomware. So, when I mention productivity, I mean reducing interruptions to operational workflows and preserving accumulated earnings intended for advancing innovation and product development.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I have a few, but let me share something related to GDPR compliance regarding the most recent project that I’ve worked on. Data privacy and cybersecurity is a complex issue that requires a robust solution; specifically, a solution that adapts to changes in compliance directives, whether GDPR or any other federally mandated directive. This is especially important for corporations that have operations in multiple geographic locations. To solve this complex issue, several development teams came together from multiple companies. Together, these teams created a solution that uses AI models that scan corporate data lakes for PII data and redact the sensitive personal information to comply with PII protection directives. With this solution, corporations are protected from the risk of data privacy breaches and sizable fines.
There were three main takeaways from this project. First, the issue of data privacy and protecting PII is recognized as mission-critical to corporations offering online digital services as a product. It is such an important and fragmented issue that the topic has been elevated to the federal governments for directives and enforcement. The result is that multiple enforceable directives are starting to emerge, complicating the matter even further.
The second takeaway was that the solution must have provisions that allows it to continue evolving as directives change and corporations expand their operations into new regions.
Lastly, solving that particular data privacy issue was a large project that required a very large team — a team with expertise across many fields, including cybersecurity, data science, software engineering, hardware engineering and information technology. It was really a pleasure working with that multifaceted team.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Currently, the main cybersecurity tool I use is primarily focused on data privacy and PII protection. This tool attempts to address one of the major motivators for cybercriminals, hackers and internal data leaks; namely, gaining access to PII. Curated lists of this ill-gotten information are valuable and are sold to entities that misuse the data.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
As a solution provider, I’ve spoken with representatives from many companies. Overwhelmingly, the takeaways have been that data privacy and PII protection are of paramount concern. Some have attempted to develop a solution in-house. Some have chosen to outsource to cloud service providers. In my discussions, it has become clear that each approach has problems. Some attempts at developing in-house solutions ended up significantly overschedule and overbudget, resulting in the project being canceled, and resulting in zero ROI. On the other hand, attempts to outsource data privacy and PII protection to cloud service providers resulted in contracts that did not indemnify the company from such breaches. In fact, since many of the contracts for cloud services have been long-standing, they are now antiquated when it comes to the newly enforceable consumer data protection directives.
As a result, many companies have started to address this problem by working with solution providers to bring their data back inside their own firewalls, without having to build the system themselves. There are recent technological developments that allow this to be accomplished cost effectively with a single server chassis, without the expense of an entire HPC cluster. While this requires a capable in-house IT team to run the system, hiring a chief information security officer is really only needed by larger organizations.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
You are right, breaches and hacks can take quite a bit of time before being noticed; some may never be noticed. Unfortunately, being vigilant in this area takes quite a bit of additional time for a layperson, time that should be used focusing on more productive activities. Therefore, I recommend using just a few, natural steps to detect possible breaches.
The first, and probably the most natural, is the observance of an increase in spam emails, phone calls and text messages. An increase is an indication that your personal information has recently been leaked, or scraped, and unlawfully used by scrupulous actors.
Second, some modern network access gateways have user-friendly dashboards where one can select settings to automatically monitor and alert when unknown attempts to access your network are detected. Once this is set up, and you receive notices about unrecognized IP addresses, you can elect to “blacklist” the device from accessing the network until that device is removed from the blacklist.
The third, and most important, is the regular checking of credit reports. This is also becoming increasingly important for any children in the household. Speaking as a parent, my children’s credit health is very important. So, twice a year, while my children were younger than 18 and had a bank account, we went to the bank to check whether there was any activity on their credit report. It has become a real and growing issue, known as “Frankenstein fraud,” where young children’s account information has been leaked and used by hackers to create other financial accounts such as low-limit credit cards. The objective for these cybercriminals is to establish a good credit history, setting them up for an eventual one-time loan before the child reaches the age of 16 years old.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
It is important for companies to note that there are criminal organizations with malicious intent. As a steward of valuable data, the company is responsible for keeping that data safe from unintended uses. It is good practice to have a security-incident-procedure plan on hand before an incident happens. A plan that is well thought through and documented, is essential for every company, especially those that hold the PII data of their customers. After a security incident happens, do not panic, do not pay a ransom and follow the established security incident plan. A good plan should contain actions for: 1) initial reporting and team assembly; 2) detecting and ascertaining the source of breach; 3) containment and isolation; 4) assessing severity of damage; 5) sending appropriate notifications; and 6) a resolution plan to prevent similar incidents from happing in the future.
As a solution provider, emerging privacy measures from around the world have brought to light, at the highest levels, that consumer privacy rights are going to be enforced with heavy fines. We have seen penalties as high as 4% of corporate worldwide overall turnover, in the case of GDPR violations (meaning misuses of PII). I don’t think this will affect most businesses, because those business that ethically collect PII have very specific uses for such information. Where I think these measures will have an affect are: 1) how the collected data is protected by those businesses; 2) giving ownership of that data and how it is used back to the consumer; and 3) motivations in finding and correcting violations.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Through my discussions with data stewards, mistakes happen as companies neglect to update their data privacy and cybersecurity practices as their businesses scale. Another common error is believing that their cloud services providers will indemnify the company in the case of data breaches. Other mistakes happen when companies put data democratization above having appropriate and established data privacy and cybersecurity measures in place. In some cases, a breach is simply an employee mistakenly copying information in which incidental PII data happens to be included. Another common mistake comes from not communicating company policy changes across the organization in a timely manner, or perhaps just a few employees happened to miss an update notice because they were out of the office that day. Regardless of whether the breach is detected, the risks of causing damages are real.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
I personally have not seen an increase in cybersecurity or privacy errors since the start of the pandemic. I believe this may be indicative of the diligent use of corporate VPNs. Or, perhaps the incidents just have not been detected yet due to the work from home business environment.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
At the risk of stating the obvious, it is important for companies to take a holistic approach to data privacy and cybersecurity. This means embracing the competitive advantages of both the human and computer aspects in establishing a robust, sustainable data-privacy and cybersecurity system. There are three principles I regard as part of the human aspect: 1) accountability; 2) motivation; and 3) making consequences known. The two principles I regard as part of the computer aspect are: 4) a closed system; and 5) semi-automation.
Implementing a holistic, robust solution is complex and dynamic, and its requirements continue to evolve with new federally mandated directives; including changes to existing directives and keeping up with corporate policies. Therefore, the accountability I am referring to is top-down — providing the right tools and the means to guarantee that the company’s data stewards can secure its own data, while ensuring that the tools are adaptable to the rapidly evolving data privacy and cybersecurity environment. Data breaches, leaks and misuses are all-too-common problems. When they happen, network and data security teams must be motivated to take on whatever challenges arise, and they must be aware of the consequences for delays or executing the security incident plan out of sequence. Advising the team about the consequences is important. The high costs that data misuses and leaks have on productivity, the corporate exposure to fines, and the severe damage that could be done to the credit health of a young adult entering the workforce or higher education are the main reasons for companies to ensure accountability on their security teams.
In addition to the human aspects, there are the computer aspects of the system, where semi-automation and a closed system tighten up the company’s data privacy and cybersecurity implementation. What I mean here is that the use of an AI platform and models enables companies to comply with the numerous regional directives protecting consumer and personal data. This type of appliance scans various enterprise data lakes (and other data sources) for types of data, and PII specifically, as defined in the data protection directives. It then applies remedies per the directives. Because this system is programmable, changes in policies or directives are easily adopted into the AI model’s framework. This results in the ability to retrain the system and redeploy the updated solution in a matter of days.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
With every challenge, there is opportunity. One of the biggest challenges individuals are confronted with in this era of digital transformation is making a clear and correct distinction between what is real information with good intentions and what is not. Take the opportunity to protect personal identifiable information and its misuse. Step up and help filter out the spread of misinformation.
How can our readers further follow your work online?
Readers can learn more about NEC X’s advanced AI computational accelerators and data privacy solutions at the following link: https://nec-x.com/products/aurora/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!