Ashish Rajan: [00:00:00] Hello and welcome to cloud security podcast. My name is Ashish and today I’ve got a very special guests from Texas. His name is Taylor Hudson. Welcome Taylor for people who don’t know you. I know you as a say-so for RSI in Texas. So people who don’t know you could you share a bit more about.
Taylor Hersom: Absolutely. Hey everybody. Yeah. Thank you so much for the time, man. I’m looking forward to this conversation. So as you had said, I I’m the chief security officer for a consulting company in Austin, Texas. So what we do is we specialize in actually helping other organizations build their cybersecurity program, and establish a better security posture based on their business needs and what they’re trying to accomplish.
Organization. So my background has been in cybersecurity and compliance. I started with the big four prior to this opportunity. And so for a number of years, I was in the external audit space, hated by everyone because I was an auditor transitioning as cyber security and compliance when it started really becoming sexy and then had this opportunity to be HQ security officers.
Consulting from there. I [00:01:00] actually am the virtual CSO, meaning I am, I’m essentially a part-time CSO for other companies, including like startups and, and some switches, really cool organizations across the U S
Ashish Rajan: that’s awesome. Yeah. And it’s, it’s, I, it’s a perfect opportunity for us to talk about pharma for already have numbers.
I’ll start startups as well. And they’ve gone down the journey of going into cloud. They obviously have security at the back of their mind, but another thing. Comes often for them is data. But before we go into data and cloud security, what does that mean for you
Taylor Hersom: as the size of that? But that’s going to be a 10 minute answer.
Now, what does data and cloud security mean to me? So everything that we do in security and compliance is ultimately around risk, but the risk that you are evaluating is ultimately. Related to the data you’re collecting. So anytime you talk to a cybersecurity professional or an auditor or whatever the case may be, they’re always talking about critical systems, critical applications critical database infrastructure, and.
All of that has in common, is it all comes back to data. So [00:02:00] you’re ultimately protecting those applications and databases in OSTP and network because of the data that you control as an organization. So when you say cloud security, I essentially think of all the startups that we advise for that.
Solely based in the cloud, they have these proprietary applications and they use these third-party applications from the G suites to the slacks. And they have all of this data that they technically sort of own, but are also actively sharing with third party vendors. Inherently. And so that’s, that would be how I would sum up.
Ashish Rajan: Right. And do you find the startups are doing multicloud as well? Like they’re going with say Azure or a mix of AWS Azure. I’m sure that a SAS service is already there, but I kind of considered that the public service providers, I guess, like Azure and AWS, they’ll probably have kind of other salads who are using, say a version of AWS or Azure.
And then it’s a startup that you’re working with. Who’s using an AWS and Azure, then there’s like, Data sharing between those, that kind of complexity. That is that common as well, like are just out of curiosity.
Taylor Hersom: Yeah. It’s more that like the, the clients themselves are typically in a single [00:03:00] environment.
I predominantly in AWS to be completely honest. The way that I guess the nature of the beast, the nature of their services, they are connecting actively with their customers in some capacities, depending on the service. But and then they are having to interact between multiple cloud environments.
So in that case, it’s more AWS and Azure and kind of co-mingling at that point, but typically like the client themselves, I’ve only seen them typically. I’d say probably at least 80% of the time in just one environment. Right.
Ashish Rajan: And do you find the, I guess from a, it’s a venous perspective, how aware are people about things like, and the example that I want to use for data privacy is that because I started the board of cost a couple of months ago, and we had this thing on our website where you can subscribe to get, get notification when a new email new episode gets.
It’s going to happen for this as well. Now I have found out as I was going for the service called MailChimp, that you need to have an unsubscribe unsubscribe option, and then you can’t share, anything else apart from what you’ve already notified the person [00:04:00] for. You’re going to let them know, or I’m collecting email because I’m gonna let you know what the episode is.
But if I haven’t, I can tell them on that email list because, or things like that. And I’m like, oh, but it’s, they signed up. I had them in the email list, right. It’s like Andy spamming. And I’m like, what?
Taylor Hersom: And frankly make sometimes they make this stuff up as they go along. It’s like kind of the joke of the security community in that, especially here in the states, we have just so many different data privacy laws that are just coming out of the woodworks. And it just, I swear like California is a perfect example, CCPA, California, consumer privacy act, they made so many changes to it, like right before they launched.
And now since they have launched it, because. They’re kind of just, I don’t even know, I guess, dumb jumping in the deep end and saying, well, we’ll wait for the phone calls to come in. And I’m sure there’s more due diligence than that, but it’s like, this is so new, for the entire,
Ashish Rajan: oh, it’s almost like let’s throw it out in the ether and hope it works.
If we become plain that we’ll know what we need to work on.
Taylor Hersom: Well, and, and they took a ton of feedback from the [00:05:00] community prior to launching CCPA, for example. But even then they still had to delay things and they had to change verbiage. And they’ve had to really just, and I know that to a certain extent, that’s kind of the nature of the beast.
Pretty much any law regulation, but this one, especially, it just seems kind of like they, they just said, hold my beer. And
Ashish Rajan: w w yeah. What stands out for you from the CCPA? And is it related to GDPR in any way?
Taylor Hersom: Yeah. So there there’s a little bit of overlap. GDPR definitely fired the first shot. The, the, they definitely set the bar pretty high in terms of what data privacy is and how it relates to the individual.
So for the first time, really GDPR gave European citizens the, the ability to control their own data, which is arguably one of the most valuable commodities in the 21st century. So or currencies rather. And so. CCPA kind of jumped on the bandwagon and went a step further. So they are now giving the rights to the California resident, but they identify them as a consumer.
So someone that is a California [00:06:00] resident that is consuming products and services from businesses, they have now the ability to control their own data. So, now at any time, one of the if, if. Organization falls under the parameters of CCPA. Theoretically, a California resident could approach, let’s say Amazon and say, give me a report on all of the data you have on me and who you shared with it or shared it with.
And Amazon would have 45 days to respond. With a report outlining this and then that consumer would have the ability to say, all right, delete all my data. And if they do not delete all their data, or even if I don’t know the California consumer just isn’t happy with the, they, they don’t feel like Amazon is upholding their end of the bargain.
They can actually file a civil case. So GDPR is handled by, by official regulatory bodies. Whereas CCPA is re it’s handled by a regulatory body in California, but it’s also giving back. To the consumer to handle, the legal side of things about themselves. That kind
Ashish Rajan: of crazy. It is kind of crazy that, oh, I don’t like the way you’re dealing with my data.
I’m going to Sue you. Yeah.
Taylor Hersom: [00:07:00] Oh my God. Well, if you pick up all the 50 states, California is the muscle notorious for people just suing for the most absurd.
Ashish Rajan: Yeah. It’s funny. Even though I live in Australia, I have heard stories of California and that people get like food left, right. And center. It’s like a thing.
What is, yeah. Wow. That would fuse GPA would definitely scale a lot of people or maybe it’s that way. Facebook and Google have now got that. Download your data thing, or that’s not the trigger for.
Taylor Hersom: Well, it was a combination of that and GDPR, so Google got hit with the biggest, fine to date with GDPR. So they got a big slap on the wrist.
And Facebook is now, you know mark is, is kind of changing his tune and how, how you supposedly own your own data. And so. They’re making strides. But the, the important thing I didn’t add was like CCPA, for example, cause we were talking about how these things are coming out of the woodworks, that one those requirements into the, the fact that that applies to any organization that collects California consumers.
Not just California companies. The fact that that is, that is the case is it’s [00:08:00] it has such immense implications on the world. And it’s, it’s crazy that we are, we’re at such an early stage of data privacy that we don’t have a singular body, like a governing body nationwide that is enforcing data privacy.
Like people are just making it up at the state level as they go along. And so. Yeah, it’s pretty
Ashish Rajan: interesting. That’s a great point because well, people do, I think at least outside of the U S a lot of people know about GDPR. They know that they have to be to the European data very differently, but I doubt a lot of people know about CCPA.
Cause a lot of people in Australia, or I guess a lot of startups in Australia, then the end goal for them is once you grow big enough in Australia, you go to the U S and a lot of times it’s San Francisco, or I guess primarily in California, And I don’t think they would realize that there’s this thing that they need, if they’re storing their data.
And I’m sure they would be doing a lot of marketing as well over here. So as they collect data from them, they need to be able to like, do they need to disclose this somewhere that they’re collecting data? Or is it more like they haven’t figured that part out yet?
Taylor Hersom: Yeah, they, [00:09:00] they do have to disclose it.
So you are supposed to be able to acknowledge as a California consumer, what data is being collected on you and you you’ve, you’ve seen I’m sure the website browsers that now, or the website pages that are, you have to agree. To that are collecting certain amounts of data that’s actually related to GDPR.
So now there’s a, there’s a correlation between that and CCPA. So CCPA is essentially the same thing that they have to be able to acknowledge what data is being collected. That data is being collected on them. But so like you said, the Australian company would move to California. If they’re collecting that data before they moved to California, it doesn’t matter if they’re in California, Australia, or Bangladesh, if they are, if they have, 25 million or more in revenue or they collect 50,000, consumers data or they have, I think it’s over half their revenue is dependent on them selling data of California consumers.
Then they have to, uphold
Ashish Rajan: the law. Wow.
A lot of people I’ve imagined would fall into the category, especially say growing big. And a lot of [00:10:00] times the digital startups are using the data that they’re collecting for selling that data anyways. That’s why they make money. So that’s things to me, an interesting point. So for people who don’t know much about data security, data, privacy, data governance, how do you describe that?
Taylor Hersom: Yeah. So everybody uses, this kind of comes back to one of my, something I said earlier, it’s kind of a little bit of a, like a something that I’m passionate about is that their cybersecurity and data privacy are still relatively new in the grand scheme of things. And so there’s still not a single.
Governing body. There’s not a singular I guess, definition for risk and for cybersecurity and for pen testing and for vulnerability assessments or, or even really even data privacy itself, that terminology there. So if you, I always I was quaded to like the, the science community has their terminology, like mass velocity, gravity.
Like, if we did not agree on those terms as a like across the world, like, We be in a bad place. And so there is not that we’re still so early on [00:11:00] insecurity that there is not really a defining definition or defining terminology for, for anything. In the security community. And I might fire up a lot of your listeners just by saying that, but if you really think about it and you go go Google the term risk assessment, you’re going to have eight different definitions right.
On the first page. So, but the way I describe it quite simply is it’s in its most basic form data privacy and data security is just you as an organization. Pretty much any organization in the world now collects data. And if you are relying on data to To be able to serve your customers and to be able to operate as a business.
So the idea for data, privacy and security is that you need to understand what data you were collecting first and foremost, you need to be able to understand that, and then you need to be able to protect that data because it is likely considered sensitive data that would potentially cause harm on your customers, vendors, clients in general.
Ashish Rajan: So someone and to your point earlier, because a lot of startups over here also go on AWS first. Or he’s a cloud provider first could [00:12:00] be Google or AWS. What do you recommend? I guess the basic things that they should be Googling for, I guess and the reason I say this is because it’s hard to show value to a startup, unless it’s a cybersecurity startup, the value of security, because for them it’s more like realize to live another few months.
I don’t know. Why am I focusing so much energy on this? I usually think that there are free options and cheaper options and laying the foundation now. So you’re not you don’t, I guess, screw up later on what, what is your thought on this and what do you recommending.
Taylor Hersom: Yeah. So that’s a fantastic question.
The way that we approach this is it’s kind of a three-pronged approach. So, as I had mentioned in, at the beginning of the podcast, I had our work with a lot of startups. So, they’re, they’re kind of flying by the seat of their pants and it’s awesome. It’s a beautiful thing. But like you said, they’re taking on these new technologies, like AWS or they’re adopting G suite or whatever the case may be.
And, and they have no understanding of. The data they collect is. And so what I advise first and foremost is going through a simple [00:13:00] exercise of what a data map. So first and foremost is like a data map and just mapping out what data you’re collecting and how it moves throughout your organization. As a startup.
It should be pretty simple because you only have a few dozen, SAS tools. You only have one AWS instance likely. And so it’s easy for you to be able to. Understand what data you’re collecting and where, how it’s moving. Once you do that, then you also can label your, we call it data, use inventory.
And you can, you can Google that and get templates. But essentially what you’re doing is now documenting the types of data you’re collecting, why you’re collecting them, who you’re sharing it with who, what departments have access to it. And then. Finally, once you have gone through that exercise, then you can start to classify that data.
So now you can start to work towards actually labeling the data you’re collecting, and being a. To your stand, the difference between Phi pro private health information versus a PII. So being able to understand exactly what you’re collecting, what [00:14:00] should be private, what should not, what should be protected, what does not need to be public versus private, and then appropriately in, in implementing technologies to help you.
Essentially put them in baskets. So think of AWS, you’re just putting them in different pockets. So you’re going to put your Phi in one bucket, you’re going to put your marketing materials that have upcoming product launches and another, and then your public information, you can just throw into a random trashcan fire.
So that’s how we advise in like AWS. We keep talking about it. You’re going to need to get a sponsorship from them after this, but the at the end of the day, AWS and Azure and Google’s cloud platform have some incredible tools that can actually automate a lot of this for you, but you don’t even have to go that far.
Like we were talking before the call. And encryption is like one of the fundamental things that you can do that you go check out a fricking box in AWS, you have encryption rolled out, meaning that you are actively protecting your data, using private and public keys and keeping that data completely protected at rest and in transit.
So that right there is not rocket [00:15:00] science. It’s easy to write. In, in as I had talked about before with risk management, that’s how we, that’s how we equate everything. So in the grand scheme of things, encrypting your data, addresses a lot more risk, rolling out some of these fancy AI tools.
Ashish Rajan: Yeah. Cause it sounds the startups, you hear, they’re doing so much interesting stuff with data and you’re like is great. You’re storing all this, but you probably don’t want to know how you’re handling this or how do you respond to something if something goes wrong, in terms of material. What’s the scale of maturity you’ve seen in data, privacy, governance and security, the holy triad, what kind of maturity have you seen?
What’s an example of like a immature stock startup or organization versus like a super mature organization, which is doing really, I guess, a lot of things for data, but also doing a really good job of protecting it.
Taylor Hersom: Okay. Yeah. So we’ll take immature first. Surprisingly startups are typically further along, but I equate this to the capability maturity model.
So one to five scale, I mean, startups are typically further along than some of these I guess SMB like legacy clients that have been around for awhile, but [00:16:00] they, they don’t even know, like they don’t even know what CCPA are or let alone, like. Cybersecurity is sometimes so for a very immature organization, they have no idea what their critical systems are.
They have no idea who has access to their systems at any given time. They never removed terminated users. They don’t have a formal process for giving users access. So they’ll just say, look, Joe blow is going to get access to all of our systems. And even if he doesn’t need that access for his job responsibilities Yeah, I have databases sitting in their closet or they sign up for the base tier AWS or cloud service and they just don’t do anything with it.
Minimum viable products go on there. That’s, that’s an immature organization and not having anything like documented that’s another big one is like, yeah. Not having even it’s like going and not having a map prior to going on any kind of journey. Like you, you have to have some form of maps, some kind of guideline to be able to build a cybersecurity program.
And then so on the opposite end of the spectrum,
Ashish Rajan: the, because incident response for [00:17:00] Harding, the data on Hardy. If you don’t know where your data is stored, how are you supposed to protect somebody? I don’t know. Actually, that’s a good segue into the next segment, which is mid Busta. Okay. Basically what we talk about is what are the myths or what are, what is something that people misunderstand about data privacy, data governance, which is, I mean, it may be very obvious for you, but a lot of people just come sit, compete with.
Kayla, what do you think of this? So what is that for you in your space?
Taylor Hersom: That’s a fantastic question. I would say the number one, like confusing factor is what regulation does someone fall under? So you either see some, you see these organizations that will read about we keep using CCPA. So I’ll, I’ll just keep using that one.
But they’ll read about it and freak out chicken little, the sky is falling and say, I’ve got to implement CCPA. Privacy requirements in my organization immediately. And then you’ve got people that just. Either. I don’t want to say they don’t care, but they’re just people that maybe are a bit overwhelmed.
That’s probably the better way of describing it. And they just have no idea and they put their blinders on [00:18:00] and hope that an auditor never comes in. So I would say that’s probably number one. What do I fall under? And then two is, is that they think that it is too difficult or that they are too small to adopt data privacy, best practices.
We’ve built this stigma around the professional services realm, specifically security, but it goes beyond that. That you have to hire an expert and you have to pay a lot of money and you have to have all this fancy technology. And at the end of the day, you take what you have and you take your budget and you take your objectives as a business and you put those together and you can come up with a solution.
I guarantee it. So that’s, that’s the other portion of
Ashish Rajan: very interesting. And yeah, it’s fascinating because my assumption is this. And I don’t have a startup at the moment. This is, this is the only side of that I have, which is the podcast, but I it’s it is definitely that thinking that, oh, if I have forget about data privacy, unless you’re, if I was not a cybersecurity person, I probably wouldn’t even think about it for me.
Just like, I’ve got an idea. I’m just going to keep thinking away and any data [00:19:00] that I found online, or if I tell them to a few of my friends, I want to just take the data and do something with it. I really. I can just do a little experiment in my backyard and see how I go kind of a thing. And I find that really interesting that it is an expectation that you have to be like this enterprise to be, you effected like, oh, I’m too small for this.
Is that right? Yeah. Like, oh, I’m too small. Like, why would, why would CCPA people care about me? Because I’m exactly.
Taylor Hersom: Well, and the problem is, is that that stigma has just created such a huge problem for, I would, I would say the entire world, because you have these SMB small businesses that feel like they’re too small to get hacked or that they’re too small to get audited or whatever the case may be.
And they’re the ones that have the least, or I guess the most deludes rather. And so. You get hit by ransomware. And the small organizations are the ones that don’t have backups that don’t have redundancy that don’t have the technology needed to protect from that. And they get shuttered and still the statistics crazy.
It’s like 60% of small businesses after experiencing attack go out of business. And [00:20:00] so. 60%. And it’s just, what’s crazy is you can buy ransomware on, on the dark web for 50 bucks and it comes with fricking customer service support. Like it’s so easy to just, I hope I’m not. Any ideas here, but like, it’s just too unfortunately it’s just become that the problem has gotten much bigger.
I guess we’re behind the eight ball is what I’m trying to say is you’ve we took too long to take data privacy seriously, and now we’re playing catch up. And so
Ashish Rajan: the funny thing is I feel like people are for the Googling ransomware customer support. Exactly.
Taylor Hersom: Best ransomware, download
Ashish Rajan: this. I said, okay, if there aren’t are they affected by regular audits?
Is that something that you feel is that understood? Is that a real fear?
Taylor Hersom: That’d be. No. Well, it’s a loaded question. So typically, and I don’t want to be on the record say, and you’re not going to get audited, but typically they are focusing on bigger organizations. That’s why GDPR. I mean, GDPR has issued almost a ridiculous.
Now at least half a billion. Dollars in fines that you don’t hear about, but they’re there [00:21:00] smacking large organizations. So typically they’re not going to pick on someone that they’re going to put out of business. Like they won’t, that’s typically how it works and that’s the same for HIPAA as well. But the, I guess the idea is just that the.
Data privacy in general or audit in general, as it relates to data privacy. The issue is when the customer has a client, that then is either a breached or asks for their security posture as I call it. So asking what are you doing to protect my data? So you see that a lot more. So these small customers there if they experienced.
And they go through they have to legally report that they can’t handle the fines. They can’t handle the associated legal fees and any of that. And then if a customer of theirs is breached, they have the right to Sue the small. And then finally you have these small customers that land, these huge clients.
So you’ve got customers that are doing business with Facebook, or they’re doing business with the government and if they get dropped because they don’t have an appropriate security [00:22:00] posture that’s their, that’s their Britain. Yeah.
Ashish Rajan: Wow. Yeah. Wait, and how do you, so, because we’ve got to mention this earlier where some people have that security mindset already, or some people may have been triggered with something by the customer or got breached for, for the people in the other camp who probably are still listening to this, like, yeah, this is not going to happen to me.
Yeah. Is there something that you share with them and you meet them and like, what is it that you tell them to make them reconsider the standard?
Taylor Hersom: So, unfortunately there are always customers that I interact with and individuals of organizations that just don’t take it seriously it’s negligence, and they don’t think that they’re going to be breach.
So they don’t see the importance. And the problem is, is it’s because as a society, we’re always talking about these organizations. And the breach that they sustained. So they lost a hundred million records and they get fined a million dollars. And that’s all you read about in the news. You don’t read about what happened to those people, whose data was compromised.
And so there, we can provide some resources [00:23:00] after the fact that you can link to, but there’s some incredible books out there like chasing vapor is another is a great one that actually. The repercu, it breaks down the repercussions to the individual and it blew my mind like what you can do when you have compromised data.
So everything from taking out student loans to buying houses, to buying cars, to like ruining people’s credit, which we always talk about of course, but like the, just the, from SIM swapping to, to stealing credit for. You can become, it’s a lucrative business and you can do a lot with a little it’s insane.
And so I always urge customers like to, to think about, I I’ve never met a company out there that isn’t passionate about what they’re doing. Like everyone operates their business to do they have a specific purpose and it’s always serving someone in some way to be able to. Look at it from a different perspective and say, you need to protect your customers.
They entrusted you with their business. They entrusted you with their sensitive data and like, it’s your responsibility to [00:24:00] protect that. So that’s how I.
Ashish Rajan: And I will. I’m convinced I’m definitely signing it. Now it’s time for my last section, which is, which is fairly a fun section. I like to call it.
It just a few questions though. Don’t worry. It’s not technical. Just something. So the first question is what do you spend most time on when you’re not working on C.
Taylor Hersom: I would say, I definitely am a nerd when it comes to security and compliance. I love to read outside of work and just kind of hone my skills.
I’m passionate about like leadership. So I’ll read a lot in general and like leadership, I would say leadership and cybersecurity are my big three ones.
Ashish Rajan: And then that’s a great councilmen, but what is something that you’re proud of? What is not on your social
Taylor Hersom: network? Proud and thankful for the fact that I found something that I truly love to do and therefore, pursued it diligently to be able to, I mean, I’m a younger guy, so I’m 30 years old and I had the opportunity to be a chief security officer and it was just because of grit and determination.
And it’s just an obsession. Unfortunately, not everybody can find that. We all find it at different stages in life. So I’m proud that I was able to find [00:25:00] that and know where to, I guess, shine my flashlight.
Ashish Rajan: No, no, that’s a great answer. Last question. What’s your favorite cuisine or restaurant that you can sure.
Taylor Hersom: This one, I’m a bit of a foodie, so it depends on. The month, but you, you said favorite food or restaurant? Yeah. Okay. I’ll give a shout out to a specific Austin restaurant that recently blew my mind. And oh crap. What’s it called? It blew your
Ashish Rajan: mind so much. Got around the main,
Taylor Hersom: oh my gosh. Why am I drawing a blank?
I’m a big fan of sushi. So no, the definitely Mexico out here, but the, so not, not exactly the best source of fish, but I found a really cool place. That is a completely sustainable sushi restaurant. And it’s like right on Austin, south Congress, you gotta check it out south Congress. If you’re in Austin healer robot, that’s what it’s.
Truly robot robot. Oh no,
I don’t know where killer came from. Please.
Ashish Rajan: Killer on board with sustainably producing fishes.
Taylor Hersom: Definitely lucky robot is definitely not killer robot.
Ashish Rajan: That sounds killer robot, but not a lot. You know what it is now. Thanks so much for your time, man. People making their reach you on social. If they have any further [00:26:00] questions on data privacy, data governance.
Taylor Hersom: Yeah. I would say that LinkedIn is my number one spot, so you’ll have my name in the in the comments. And then I am on Twitter, but I’m my Twitter presence is embarrassing. So definitely spend most of my time on LinkedIn. Yeah, we’d love to connect with folks would love to chat more about security, any way that I can help.
It’s the security community, as I’m sure you agree. Few and far between, so we gotta stick
Ashish Rajan: together. Yeah. A hundred percent man, a hundred percent. And thanks for coming on board. Thanks. Thanks for taking time out. Really appreciate them. And thank you.