Work from home is here to stay. Therefore, you have to create a strategy to tighten up security at home, give people guidelines. This can be done by issuing corporate equipment and tightly controlling the environment. If you expect people to use personal devices, provide them with standard software, such as anti-virus as well as guidelines and dos and don’ts. Run extensive employee training. In the current situation, as people struggle with fatigue and work-life balance, it is important to remember that hackers are all too equipped to take advantage of the confusion surrounding remote work. Stop relying on employees to select the right tool and provide ones that emphasize privacy by design.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dr. Galina Datskovsky, CRM, FAI and serial entrepreneur, an internationally recognized information governance, privacy, compliance, security and artificial intelligence expert.
Galina is currently the CEO of Vaporstream, Inc. She previously held the position of SVP of Information Governance at Autonomy/HP and was General Manager of the Information Governance Business Unit and SVP of Architecture while at CA Technologies. She joined CA in 2006 with the acquisition of MDY Group International, where she was founder and CEO.
Galina currently sits on the advisory board of the Executive Woman’s Forum. She is a champion of the entrepreneurial spirit as she has served on the board of multiple startups, assisting with strategy and continues to support the startup community. Galina served as Chair, President, President Elect and Director of ARMA International (2007–2013) and has been widely published in academic journals, speaking frequently for industry organizations worldwide. She was designated a Distinguished Engineer while at CA (2006–10), was the recipient of the prestigious Emmet Leahy award (2013) and was named a Fellow of ARMA International (2014).
Prior to founding MDY, Galina consulted for IBM and Bell Labs and taught at the Fordham University Graduate School of Business and the Graduate School of Arts and Sciences at Columbia University. She earned her doctoral, master’s and bachelor’s degrees in Computer Science from Columbia University.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in Soviet Russia. My family immigrated to the United States when I was 11, but for the first years of my life we lived in a communal apartment in Moscow. There are many stories I can tell, however, most importantly people had no freedom of movement. You could not change apartments, move from city to city and certainly not travel abroad. The government controlled every aspect of everyone’s life. Leaving permanently was not even an option until late 60s and early 70s. When my two brothers graduated high school at the age of 14 and were denied university admission based on religious discriminations, my parents realized it was time to leave and began planning. We were all sworn to secrecy. Miraculously we were given permission in record time — only 3 months! We were allowed to bring 250 dollars per person and some personal belongings.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My mother was the first computer engineer I ever met. When I was a girl, she brought home an early-stage terminal with its rolls of fax-type paper. I remember the sound of the modem dialing into the mainframe so my mother could work at night and on the weekends. I examined the equipment, and found it completely fascinating. I went on to do my doctoral work in Artificial Intelligence. AI and data privacy and cybersecurity seemed like a natural marriage — there is lots of information that needs to be used prudently across the three.
Can you share the most interesting story that happened to you since you began this fascinating career?
While building my first company, an information governance and compliance organization, I was working on a deal with a major corporation. After rounds of negotiations, I met with their attorney. He sat across the table from me, looked me straight in the eye and with a serious voice asked, “all the details are fine but what if motherhood calls?” Even though his question was insulting, I knew that the future of my startup depended on this contract. With a reasoned voice, I responded that “I already answered the call and my daughter is 2 years old now.” What I did not share with this attorney was that I was also pregnant with my second child. In my seventh month of pregnancy, I made sure to stop by his office to advise him that I was taking a maternity leave.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My doctoral adviser, Kathy McKeown, was influential in guiding me into the business world. When I was a graduate student in my third year, I got a paper accepted into a conference called the International Joint Conference on AI, or IJCAI. I had never given a presentation to anything bigger than a peer group, or maybe a couple of other people at work, but nothing massive. The conference was in Milan and there would be 300–400 people in audience. I practiced my talk extensively — this was before the age of PowerPoint, when you had overlay slides you had to flip manually. I said to Kathy “I don’t know if I can do this.” She said, “Remember one thing, it’s your research. You know more about this topic than anyone else in the audience, so no matter what they say you know more. Don’t worry about it.” it was a great life lesson.
Are you working on any exciting new projects now? How do you think that will help people?
I am deeply passionate about the mentoring. I started doing it formally, through my alma mater, Barnard College, and the Executive Women’s Forum, where I’m on the board. Then my colleagues in the information governance community started making informal introductions. I started with just women in tech and business, but I got a call from a man I’d met at a cocktail reception at the AIPAC conference saying I could really use your help, could you mentor me? It’s important to me to help others build their businesses and grow professionally. Unfortunately, my mentees don’t seem to go away, although of course I consider that an honor!
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Don’t let work define you. You are not your work, your work is there as a means to end. Even though you want to put the utmost importance on it, you have to remind yourself of that fact. Have hobbies and other things to do that put it in perspective. For me, that’s playing classical piano and scuba diving. It’s important to have a community that is different from work, get another perspective and have another group of friends. I have that in my fellow musicians, and I stay in touch with divers I meet all over the world. It’s got to be something that broadens your views and horizon, that’s where self-healing starts. Find what works for you and don’t be afraid to try new things. I would try almost anything once — with the exception of bungee jumping!
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
First, the cybersecurity industry is always changing and shifting — there is no such thing as “you’re done” in security. Second, new systems and devices are always being installed: we have IoT, we have work from home, we have mobility. It makes security dynamic and exciting. Third, cybersecurity is so tightly interconnected with data privacy, data analytics and AI — it’s all pervasive and permeates everything I’m passionate about.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
IoT is something that people are not thinking about enough. Protecting a device is considerably more difficult than protecting your mobile phone or computer network. Say you install a Smart TV in a board room. It may have older chip sets, no software or chip updates, a security flaw that may never get fixed. People have listened in on meeting by hacking such devices. How do you protect against that? IoT is all encompassing — how do companies think about it? Another example that actually occurred is a boiler explosion that was caused by a security vulnerability. Think of all connected devices in a hospital. They all require extensive and constantly updating security posture. On the flip side, companies who build intelligent devices need to think about how they’re building in security into them.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The truth is standard cybersecurity tools only take you so far. In order to help you continue to operate during and resolve a breach, look for tools whose security has been tested by third parties. Independent validation can give you piece of mind about your cybersecurity tools’ security — and privacy and compliance. Don’t trust any company that tells you they’re secure but hasn’t had an appropriate expert third-party verification. An impartial third-party assessment is really the only way to double check and triple check — that’s why we do it at Vaporstream.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
You don’t have to hire a CISO, but you do have to designate someone within your IT organization to carry out obligations. Sometimes people hire interim or fractional CISOs for a few hours a week to do the assessments, but the truth is not everyone has the budget for it. If you need to use “over the counter” software, be sure to choose software that is third-party certified. If you can, use a third-party company to assess your security posture.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
The best thing you could do, honestly, is watch out for “too good to be true” emails, text and other communications. The most extensive hacking happens by phishing or smishing. If you are going to be a victim of a ransomware attack, the point of the attacker is not to reveal themselves, so you must implement your protections up front, always patch and be proactive. If your computer is sluggish, slowing down, or you’re having to reboot, that’s a sign of a potential virus. Do take care of it before it gets worse.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
First, notify customers. There are laws and regulations about this — for instance, CCPA requires businesses to notify within 72 hours post-breach . The former CISO of Uber is currently being sued in criminal court for hiding the severity of the breach. Once you’ve done that, remedy. If you have cyber insurance, notify the carrier. Reexamine your security posture, evaluate what went wrong, beef up your vigilance, assess how vulnerable you are. Make sure all the latest patches are applied in a timely manner. The best thing to do is to have a plan in place before a breach — making up the plan on the fly is very difficult. There should be a dedicated team with clear responsibilities and clear steps to follow. Execute your plan and then have a post-mortem and lessons learned session.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
They didn’t really affect us because we don’t store data — in fact, we help businesses comply with these very laws. They have made it clear that privacy is important and businesses have to take it seriously. Data maps have become important, businesses have to attest to getting rid of data, and it’s the beginning of a culture of greater privacy expectations.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Not training your employees. The other really common mistake is putting data in the cloud in systems that are not vetted. While working at a large tech company several years ago, acquired an email archiving company that had a data center with a cloud provider. Well, the cloud provider went into bankruptcy — this was before Azure and Amazon, when everyone was using different providers — and the customers were coming to us, asking “where’s our data.” We couldn’t get their data because all assets were under the control of the bankruptcy court.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Absolutely. Now that people are working from home they’re not necessarily using company-issued devices, so they might be using devices they share with their kids who play games, or a spouse working for a competitor. Home networks might not be sufficiently protected, or might not have strong WiFi passwords. All cybercriminals have to do is break through these home devices and networks to get a trusted account, after which they can go into companies. It makes corporate networks much more vulnerable. It’s very hard for people to keep their work and private devices separate.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
One. Work from home is here to stay. Therefore, you have to create a strategy to tighten up security at home, give people guidelines. This can be done by issuing corporate equipment and tightly controlling the environment. If you expect people to use personal devices, provide them with standard software, such as anti-virus as well as guidelines and dos and don’ts. Run extensive employee training. In the current situation, as people struggle with fatigue and work-life balance, it is important to remember that hackers are all too equipped to take advantage of the confusion surrounding remote work. Stop relying on employees to select the right tool and provide ones that emphasize privacy by design.
Two. Most companies rely on various downstream suppliers. There was a breach perpetrated by a nation state on a small Electrical contractor in the Midwest. It was not clear why they were the subject of such an extensive attack until on further examination it became evident they were a subcontractor to a contractor who worked on the electric grid. A hacker has to find the weak link, and often that link is the downstream smaller provider. Be very careful to examine all downstream providers allowed into your organization and check their security posture.
Three. Make sure you patch your systems regularly and timely. Some of the most egregious breaches occur because of the delays in patching and applying new security measures. It is operationally challenging at times to find an appropriate window. None the less, it must be done and planned for. That’s how Uber wound up in criminal court. Late patching was also a major cause to the Target breach.
Four. The above brings me to this next point. You must have a breach response plan. You should create said plan as part of your cyber posture audit. The audit will highlight vulnerabilities and the response plan will help you prepare for the actions you must take in case of a breach. Like any good plan, you must practice and evaluate it regularly. A plan that sits on the shelf (real or virtual) without being touched is not terribly practical. By the way, if it is available virtually only, you may not be able to access it in case of denial of service. So your plan MUST account for many different scenarios. It is too late to improvise in the middle of a problem!
Five. Run honest and extensive penetration testing and try to see what is vulnerable. Better yet, hire a third party (like we do at Vaporstream) to try to do it for you. White hat hackers are your friends. Create a data map and understand what information requires the greatest protection. For example, credit card and other personal information of your customers may fall into such a critical category. Your publicly available marketing materials might not. Security is not always a one size fits all exercises so understand your risk/reward ratio when making determinations.
Q: You are a person of influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Spend less time on social media. Not just for cybersecurity reasons — people need to learn how to have real interactions, get broader views, be courteous. Social media inspires single mindedness. One of my favorite sayings is “don’t compare the inside of your heard to the outside of someone else’s.” Get off social media and get out into the real world!
How can our readers further follow your work online?
Follow me on Twitter and LinkedIn — for professional purposes only!
This was very inspiring and informative. Thank you so much for the time you spent with this interview!