Ep. 3 – The Importance of Security and Privacy for Consumers, with Roland Cloutier.

Transcript

Intro: 

Welcome to another episode of the Elusive Consumer Podcast. Today Ellie is talking with Roland Cloutier, principal at the Business Protection Group. Join us as Roland discusses his previous experience as Global Chief Security Officer at TikTok and ByteDance, the importance of protecting consumer data, accountable AI practices, and his current role at the Business Protection Group where he helps businesses protect themselves with transparency and compliance. Let’s get started on The Elusive Consumer.

Ellie Tehrani: 

Hi, Roland, and welcome to The Elusive Consumer. It’s so very good to have you here today. I can tell you how excited I am about this particular topic that we’re going to discuss in detail. So, any first words of the introduction that you want to kick us off with?

Roland Cloutier: 

No, it’s great to be here. I mean, I think one of the things I love about your podcast, it gives a little something for everyone, and security risk and privacy isn’t exactly an easy topic, especially to people that use technology. So, from my perspective, happy to help out where I can.

Ellie Tehrani:

Thank you. So, in my line of work of market research data is everything and how we collect the data, how we dissect and analyze and get that insight to our customers. But the topic that we rarely discuss with clients and others is that how the data is gathered, if it’s done with intent and integrity and how we can protect that data. So, that’s something that I want to touch upon in our conversation today and what you’ve done in your line of work to ensure that consumer data is always protected. But before we get into that, how about you start us off with your passion for security and data privacy and how you fell into that?

Roland Cloutier:

Yeah, quite literally fell into it. I think I had left the military and went into federal law enforcement and ended up in an organization where I was doing fraud crimes in federal healthcare system. And interesting enough, it was a lot about fraud against US taxpayers and fraud against technology systems. So, I actually went back to school to learn about technology. I came out of the military ground pounder, a detective for the government, and I did not know anything about technology, but everything I was doing had a technology nexus. And so when I came out of school and decided to make this my career, I literally found a whole new world that needed help, that needed someone with a posture for defence, a posture for being able to solve these hard, complicated problems where bad guys wanted to use data. And my career took off. That’s how I fell into it. And next thing I know, I’m building my own companies and joining others as a chief security officer. And it’s been a great 20 years doing this.

Ellie Tehrani: 

I mean, you’ve authored books on security, you won awards, you’ve worked for some of the largest organizations in the world, but I’m interested to know what security means to you in your role as a father. Talk to us about that.

Roland Cloutier: 

Yeah, I have two wonderful young women who are older now, but they came kind of out of the womb with a Nintendo in their hands. I mean, when they were younger. I remember my oldest who owns her own business now and she’s just an amazing woman, but she was three years old and logging onto our computer so she could play her games and do her studies and learning online. And that was 27, 28 years ago. And I remembered during that time how hard it was for me to manage as she grew up and phones came out and everything else and to manage those things. And I did it for a living and it was always a concern for me, how do the rest of the parents who have jobs and they take their kids to their sports and they do this to now learn technology to manage, it’s a dangerous space.

And then when I got in deeper into that environment and realized the threats that were really possessed. I used to do a lot of public speaking on that topic specifically. And I used to get people’s minds wrapped around it by saying, would you take your eight-year-old and drop them off at the corner, some busy intersection in New York City and walk away from them? Because when you leave them on the internet, unattended, unmanaged, that’s what you’re doing. They have access to content through those devices if you are not managing them, monitoring, helping them, educating them, that’s what you’re doing.

So, as parents, we’re responsible for our kids in everything that they do when they’re younger. And I think as practitioners, part of giving back is helping educate the world on what that really means. And so that’s, as I think about the history of my kids and what they taught me, I think it was being accountable and responsible to the rest of society and making sure that I’m not just giving back, but the good Lord gave me some skills to go do what I do and I should be helping the rest of the kids out there.

Ellie Tehrani:

I mean, the topic of cybersecurity is so very hot right now in particular with what’s going on in the US and it’s something that I don’t know about you. I studied law, I studied Swedish law, and when I studied it back then, it was just a fairly new topic. There wasn’t as much information about it as I would’ve liked, as most people would’ve liked. Do you think that has changed over the years and do you think that there are now more regulations and guidelines for organizations as well as consumers?

Roland Cloutier:

The answer is yes, period. At the end of the day, in the last two years, there’s 17 new privacy laws that came out and different sovereign jurisdictions on the globe that if you’re a multinational business, you have to adhere to in each one of those areas. So, put that aside for a second because I said privacy. The reality is there’s privacy law, there’s cyber law, there’s independent laws for consumer data, the protection of consumer data. So, it is a large set of legal jurisdictional requirements and regulatory concerns around the globe that businesses and agencies have to be aware of. They just have to. And I mean here in the United States alone, you know have the FTC regulating certain things. You have the FCC, you have different state jurisdictions doing very independent and different laws. And as a business you have to be accountable to those laws and the protection of consumer data, the privacy attributes and requirements and even laws on children’s data is extremely different than that general laws on privacy. So, the answer is yes, and it’s a very, very complex world and I’m glad I’m not an attorney.

Ellie Tehrani:

But what about businesses and in terms of what they’re doing to ensure that they stay protected and also that they protect their customers in the sense of understanding the importance of security, but also implementing a culture of security? How do you go about doing that?

Roland Cloutier:

Well, let’s start with the accountable and responsible thing first. First thing first and as I talk and train other security practitioners and businesses, I teach them, one of the basic things I teach them is know your business. In the concept of security and in protection, there’s a simple term that’s been used for hundreds of years and it’s it you can’t protect what you can’t see. So, if you don’t know what you’re protecting, how can you really protect it? If you don’t know what data you’re collecting, if you don’t know what your application does, if you don’t know what your API does. Now I’m not going to get super technical, but the reality is just looking at your value chain, your business value chain of your company and saying, how does my product work? How do we design it? How do we build it? How do we market it? How do we sell it? How do we service it? How do we monetize it? And what are all the systems under each one of those areas? And how does the data flow?

If you do that, you’re 90% ahead of the rest of the organizations out there. And so you can start by understanding your business and what data you have, what you collect, what you don’t collect, what your applications can access or not, and then we can start talking about a protection program. So, I think that’s the start, but I liked you getting at that question of how do you ingrain it in your organisation. And that’s really just a top-down effect. I think when you teach your employees that security’s important.

When the CEO of the company talks about how data and data protection and the protection of our customers is important when you affect policies in your environment, when you enforce policies in your environment, when you add extra layers of technological protection to ensure that you show that it’s important and you invest in that portion of your product, I think it kind of goes downhill and people start to understand it. So, the more you communicate, the more you educate and the more you act about what you’re talking about, I think it naturally brings that type of understanding to the rest of the organization.

Ellie Tehrani:

Right. And have you seen any companies out there at the moment that are doing this better than others, would you say?

Roland Cloutier:

I mean, there’s a lot, I mean you look at some of the big companies like Google, Amazon, TikTok, having worked there for three years, just doing some amazing work with the teams on data defence and access assurance, they’re all doing great things. I’ll take Google for example, over the last year has provided consumers with the ability to understand what their browser’s doing, stop things in their browser, whether certain organizations in their applications want to use data or not. They give you the option, the opinion, the capability.

TikTok for example, giving parents the ability to manage their kids, what their kids can and cannot see, and what data is collected, not collected. And the same with Amazon. I mean, you see these really responsible companies developing next generation technology and providing it openly to the rest of the world to say, here’s the privacy standard and here’s how you build a capability to implement that within your products. I think those companies are doing really great things and there’s many, many companies around the globe that are doing it that are really accountable, especially in the [inaudible 00:11:46], the financial services area in consumer-driven organizations.

Ellie Tehrani:

Right. Let’s go back to your role at TikTok a little bit. TikTok as a platform, going back to the topic of younger generations using different types of social media and how parents can protect their children and so forth. They’re in a bit of a risky space in terms of how much can they control versus how much they want to control. What would you say is the balance that organizations within that sector should strike to ensure that it’s a topic we’re discussing right now on the Google and what they can do to ensure that consumers continue to enjoy their platform but in a safe space and safe environment?

Roland Cloutier:

I think generally for all companies in that industry, I think there’s some basic concepts of application defence and things that ensure that you’re protecting data. I think there’s advanced controls that organizations are putting in that segment and make available choices within those privacy and security controls and what you do or do not want as an individual. And then I think third is the continuing work that all of these organizations are doing in the trust and safety capabilities and understanding what’s on their platform, what is part of what I would say their community, their community guidelines and their policies and being able to enforce that in automated way. I think as they continue down this path forward, executing those three things well together equates to a platform that gives choice, a platform that ensures the protection of the data that’s entrusted to them and a platform that acts as a policing force that is reasonably expected to be able to remove unwanted material and harm from the platform. I think doing those three things together well accelerates that industry forward.

Ellie Tehrani:

Do you think the same applies based on all these new technologies that are coming out say with the emergence of AI and IOT and blockchains, is there anything else businesses can do to prepare for these new risks?

Roland Cloutier:

Well certainly get educated on them. I think that’s that one big thing is I believe that people don’t really understand what AI is and how their business may or may not use them or their employees may or may not use them. They may not be an AI company, it may not be a high-tech company, but their users and their employees may be using it and what is the implications of that? So, I think that’s one is learn more about it, especially if you’re a technology executive, risk executive, privacy executive in those companies. The second thing is if you’re using AI or ml, or planning to use it or you’re thinking two three years down the line from a strategic or a product strategy perspective, start thinking about accountable AI practices. And there’s some great documentation out there. European Union has released some great information.

The UK has, the US government has released things on this type of appropriate use of AI and it’s stuff like understanding what you will and will not use it for, how you will secure it, how you will look at bias validation, testing and assurance, so the quality components of it, the security components and educate your organization. The reality is that it is like any other technology, it adds an exceptional capability to the delivery of product services and potentially just such a positive influence to the lives of people around the globe that it’s going to be embraced and used to drive industry forward, but it has to be used responsibility and we have to have guardrails and appropriate security in place to support it and businesses are going to have to figure out how they pace themselves and how they protect themselves against it in all different ways. But the reality is in order to embrace it, you have to understand and that’s the first step.

Ellie Tehrani:

And that educational piece that you keep returning to on the subject of security, which some people might not see as the most, and excuse me that I’m saying this, fun topic, but how do you make it more engaging for the overall masses in consumers?

Roland Cloutier:

So, I hate PowerPoints and I’ve been in big companies and small companies, so I really dislike PowerPoint to death and check here that you’ve seen it and I get it. When you’re dealing with tens of thousands or even hundreds of thousands of employees, there has to be a mechanism by which that you implement something that everyone can consume it and you can validate it, but people who have done it better, gamification, my last couple jobs we did gamification where they could play a video game or they’re making choices and all of a sudden the game is going in this direction and it’s educating them. I think, you look at the age of your workforce. At my last job at TikTok, the workforce was like 50% younger than me. And so you have to sit down and look and see, understand how they consume the data, how they want to see the data, do they want to see it on their handhelds?

Do they want it to be a game? Would they rather have a podcast or a video cast? I think you have to really pay attention to your culture and design your education programs around that. And by the way, externally too, I think responsible companies also help educate the public. So, you look at credit card companies or banks, they often have things that you can go learn if you’re just a consumer using the bank or the large technology and social companies, how they have education videos that teach you how to use their technology and the security around it, why it’s important, that’s important.

And the last thing I would say is repetitive beating people over the head about it with the same content doesn’t work. Testing to a certain level, and I’m really speaking to companies now is if Roland or Sally know that I’m not supposed to click on a link and they can test out of it, don’t make them go through six hours of this stuff. Have them do a basic knowledge check couple times a year and then provide additional things for them that they missed and they need and make content on demand. And by the way, make it relevant. If I’m an executive administrator to a bunch of executives, I’m going to be targeted different than if I’m in a call centre. If I’m in a call centre, I should know certain things. And oh by the way, if I’m developing code, there’s other things I should know. So, it can’t be peanut butter spread, it has to be made for the culture, the community, and the job function that the folks are in.

Ellie Tehrani:

Let’s talk about the other side, the end user or the consumers so to speak, and them becoming more aware of their data and the value of their data and perhaps talking about how they can get a better sort of incentive for their data than they are currently being given both in terms of our industry, for instance, market research as well as in technology where data is being collected passively, for instance. What do you think is happening there that we might look further down the line in terms of how consumer data is protected for them and what they can do to make the most of their data when they interact with different corporations?

Roland Cloutier:

Lot of questions there, so let me try to break that apart a little bit. Well, let’s talk about consumers and their information. I think the first thing that consumers can do is make decisions on the available things that are within their control. So, if I use a specific app or application, spend a few minutes looking at the data that they provide, we’re going to use your information for this, this or this. Now I get it, the ULAs are 75,000 pages long and a lot of legal speak, but many of them have those consolidated and if you don’t understand what they’re doing with your data and it’s important to you, don’t use it. Pretty simple. I think that’s number one. Number two is go through and be accountable to your privacy settings. Let’s take Facebook for instance. They have a great capability for you to decide what data you want shared publicly or privately or what can be collected or not, and so on and so forth.

They put it in your hands and they have a great tutorial that they take you through. If you’re going to use that technology, use those controls, be accountable and responsible to it. Now I think the next set of questions you asked really had nothing to do with the consumer. It has to do with legislation and governmental organizations protecting their consumers and that will just have to continue to go down the path of transparency, from my perspective, there’s nothing the consumers can do there but vote in the people in their cities, towns, counties, states, country, that it has a focus on ensuring the collective protection of the consumer, the consumer’s information. And the more transparent we make it. Transparency of choice, transparency of control, transparency and knowing what my data is used for and having a choice in that. As those are getting written more and more into law, it actually makes it easier for organizations to digest and to automate and to put as components of their product.

And it makes it easier for the consumer to make decisions on what they want their information used for or not. I happen to the fact that in certain applications they know that I’m looking at a certain type of technology and doing research that it pops up, hey, here are 16 other areas. Did you know that this is going on? You might want to look this. I like that. I don’t want my email going through and then provided information on me talking about my Thanksgiving dinner with my mom. I don’t need recipes popping up. So, in other areas I don’t like that. And so the more that becomes a choice for the consumer and the more that products enable that, I think just becomes a more positive relationship between the consumer and the businesses interacting.

Ellie Tehrani:

And talking about the positive interactions. There’s a lot of negative spin on data and data privacy. We don’t talk about the data that does good as much lately and I’d like to emphasize that and how some of these big tech companies have actually made technology more accessible to the wider masses and also giving us a larger set of data. And when I say us, I mean the research industry and of, and that benefit ultimately goes to the corporations and our clients and helps improves product for the better.

Roland Cloutier:

Look at COVID.

Ellie Tehrani:

Right.

Roland Cloutier:

10 years ago, how long would it have taken to actually find the capability to defend against COVID from the biopharmaceuticals? That was lightning speed. And each year we get faster. It could be days based on the data and it treats and saves lives around the globe. And speaking of the pharma industry, the more data they have, the better they can treat and cure diseases and it’s right. And I know it’s so regulated and it’s such sensitive data, it has to be done in the right way with the right controls, but we’re doing great things. The science around farming, I mean you can get me on this forever. I’m a big believer in the use of this data.

My daughter’s a farmer, she works in agriculture and manufacturing field. And the way you look at drone footage, the way you look at the remote monitoring of soil segments and the health of livestock all coming into these databases, creating an understanding of what our food sources are looking like, the health of our food ecosystem and driving when we may have droughts versus when we’re going to have excess and how we can spread that and share that across the globe. That’s happening today. That is things that did not happen 15 or 20 years ago. And so I think understanding data, how it can be used and being accountable to appropriately protecting the type of data that we’re responsible for within these research institutes or in these industries is critically important. But you are right. People are living better, healthier lives because of the use of technology and their information.

Ellie Tehrani:

But on the flip side of that, do you think that because of some of the concerns that we’re seeing today that governments might perhaps impose stricter regulations which might prevent further innovation? Or do you think that the right balance will kind of find itself? Where do you stand on that topic?

Roland Cloutier:

I’m kind of a glass half full type of individual, so I think the world overreacts than comes back and they overreact and come back. So, I think we’ll see harder things and we’re going to have to work within governing policies and embodies to educate them as well. I mean, government organizations are not technology experts, although they have some often how the rubber meets the road, they need better education. And so as long as we continue to be joined in the same goal of advancing the betterment of society while ensuring the protection of consumer and citizens in different jurisdictions around the world, I think we’re fine. And it’s going to be a test and validate. Can you actually apply that control broadly? No, you break an entire industry.

And well, is it bad if you break that industry? Maybe not, but then here’s what you’re losing from that. So, I think there’ll be give and takes, testing and analysis on how that works. We did it in the financial sector and we made a lot of great progress in protecting and ensuring the information assets, financial infrastructure in the financial ecosystem of this country and many others. And so I think we can continue to do that an evolutionary type of way that involves both the public and private sector.

Ellie Tehrani:

I want to talk a little bit about your existing role at the Business Protection Group. Talk to us about that.

Roland Cloutier:

Yeah, I’m first time in 30 years I’m out of operations morning till late at night worrying about who’s hacking who and responding to major incidents and saving things around the world. It’s the first time I get to take a step back and give back a little bit and help to other CISOs and organizations on the development of their programs that protect their businesses. Also, research. I’m doing a lot last three years have been huge in data defence and access assurance and how you bring to life the capability and the realism that there’s a way to do this and there’s a way to do this with great transparency and great protection and truly be able to achieve regulatory compliance. And I think we’re just at the edge of greatness in this area. So, I’ve taken a step back to do some research in that and help companies that are in that space looking at advanced technologies as technology moves.

We moved from the enterprise and then we moved to the cloud and then we moved to APIs and now we’re in these microservice service mesh infrastructures. And each time you do that, there’s a major title change of controls and where it happens and what you can see and can’t see. And so making sure that the industry understands that and that there are companies out there that are being funded to go protect that and to help in that change or some of the things that I’m working on. And quite frankly, it’s great fun and doing a lot of education at the same time and lecturing. So, just taking the 20 or 30 years that I’ve had in protecting businesses and people and in society and helping others understand as they’re coming up into this new crazy technological world, how they can effectively do that job and what we have to do next is what I’ve been focusing on.

Ellie Tehrani:

Great. I’m also really interested in your background in the Air Force and as a veteran in the military. So, talk to us about how that has shaped your career path.

Roland Cloutier:

Yeah, I mean it’s the foundation I guess of who I am and what I’ve become. I think the military was something I had always looked forward to when I was very young following my father’s footsteps as a air force security policeman and the military in general and the militaries around the globe give such a great understanding of a collective mission. So, how we work together to affect the greater good and to protect the citizens of these societies that we live in. There’s a lot goes with that. And there’s the normal stuff like discipline and self-discipline and teamwork and effective leadership. But there’s also the thing within my own practice from security, when you’re protecting think lives and people around the globe, the government spends a lot of money teaching you how to do it right. And it’s come over hundreds and hundreds of years of learned examples through wars and peace time and conflict, how to do this right.

And so I’m so grateful for the opportunity I got in not just the Air Force, but working in the Department of Defense and then working in civilian federal law enforcement of the countless hours of training that I’ve gotten and been able to continue that in my commercial life. I never thought I’d be doing the same job, but not with law enforcement powers, but with the ability to affect and protect businesses, companies, and people for around the globe in a very different way. And that has given me such a firm foundation of how I lead, how I think about protecting and how I continue forward in making sure that we have a lifecycle of learning and execution. So, yeah, it was certainly the foundation of who I am today.

Ellie Tehrani:

There’s a couple of things in there that I want to dig into. The collective mission aspect of it all, do you think that most of the larger organizations these days have built that collective mission or do you think that that’s lacking in some of these corporations?

Roland Cloutier:

I don’t know if I’m want to opine as a, I’m not in those organizations, I can’t tell you, but what I could tell you is that I talk to a lot of leaders and sometimes even in our own industry and space or a profession, we forget about it. I forgot about it. But when you’re leading individuals that doing this type of work, I think it’s hard. I mean the work is hard, all work’s hard, but security risk and privacy laws, everything changes. People are trying to hack into you, you’re responding to stuff, it’s late hours, it’s tough work. You got to really want to do this.

In order to keep people motivated often the people that do this type of work want to know why. Why am I doing this? What am I helping? When I was working in technology manufacturing, we used to talk to the teams every day about your systems are going to 80% of critical infrastructures around the world. The stuff that’s being built in those manufacturing centres that you’re protecting is going into 80% of critical infrastructure industries around the world. If we don’t do it right, it breaks or gets hacked. You’re talking about mass implosion of society that uses this information, these data assets to manage their countries.

Ellie Tehrani:

No pressure

Roland Cloutier:

No pressure. And when I was at ADP, we used to talk about one in six people on your street get paid through these systems, billions of dollars of money movement every single day goes through these systems to ensure the financial ecosystem of this country, one in 10 payslips around the world get processed through our infrastructure. You’re accountable. If you want to be here, if you want to do this work, that’s your mission. And you may be an analyst, you may be a security engineer working at a specific part of cloud, but if you don’t do your job that your partners over here are expecting you to be doing so their stuff works, then you’re the weak link and you failed it. So, if you want to be in this mission, be in it, know what you’re protecting. And it’s the same thing at TikTok and that team, just an amazing team over there, they knew.

And we used to have it on our shirts, protecting the world one TikTok at a time, ensuring the sanctity of the data, ensuring that the platform is clean and free of [inaudible 00:35:58] and things that would harm others. I mean that these teams get it. And so I think great leaders make it a purpose, a daily purpose to ensure that their organizations know what their mission is. And so when I speak about the collective mission, I’m obviously talking about what we did in the military and government, but the reality is every company has a mission. You’re healthcare, it’s patient safety and ensuring that people get well if you’re in oil and gas and in that part of critical infrastructure, it’s making sure that people stay warm fed and the lights stay on. Those are pretty big issues. So, mission is important.

Ellie Tehrani:

Right. And do you think that that mission translates to the consumer as in the companies that really emphasize what their collective mission is, are the more successful ones or do you think that that’s-

Roland Cloutier:

I think so.

Ellie Tehrani:

Yeah.

Roland Cloutier:

I think so. I think when you see an organization care about the people they are supporting or supplying or as their customer, then I think you are more apt to want to be aligned to that brand. It even comes down to commercials. When you were a kid and you saw that Coke commercial and it was a great Coke and it meant a wonderful sunny day, didn’t you want a Coke? I think it’s the marketing. There’s marketing and there’s realism. When you see the State Farm, I love State Farm. I’m a State Farm customer. Why?

Because when I was working hurricanes to make sure that that places that got just pummeled by a hurricane had no infrastructure, but we wanted their paychecks up and running. We wanted to make sure that our people were safe and we were there. State Farm would beat us there every time to make sure that they were taking care of their customers. That’s the type of company I think that consumers want to be aligned to is those that not just talk the walk, but they walk the walk, they show it every day and they bring that mission forward and wear sleeves every single day. Yes, I think consumers do. They don’t just get faked into believe it. They look for the reality of what’s happening in that organization.

Ellie Tehrani:

We often talk in our industry about how the businesses that are the most successful are the ones that can actually truly engage and connect with their consumers. And I guess it’s difficult in certain verticals to actually be able to connect with your consumers, but how do you think some of the organizations that you’ve worked at, whether it’s ADP or TikTok or your current organisations, have been trying to do that to truly connect with your audience?

Roland Cloutier:

So, many different ways. I think when you talk about organizations that provide consumer services or even mention payroll service, something like that, when they offer tools, technologies and trading to the end user, the people that are actually using this and capabilities to make their life better, I think people see it. I think when they look at their involvement in the communities they serve and whether it’s something as simple as, I’m a veteran, so something I love doing is taking people coming out of the military, helping them understand what they can potentially do in the future and retraining them for commercial work. And so many companies do that well now or they work in their communities to fight homelessness or hunger. They give time to their employees to go into the communities and do that.

I think it’s exceptional and they see that that’s not just talk or one social thing that they’re trying to advertise, but companies that are consistently there. Maybe that’s the word, consistency. Organizations that take the time and effort and real effort to align to their consumers and do great things I think is important. And you see that in different ways. You see companies in a high tech space creating joint councils with their competitors to fight things like human trafficking. Consumers see that and they’re like, I have kids. I worry about my kids getting abducted every day and the fact that these five companies are working with global law enforcement, Interpol and national authorities to prevent this, I’m going to support them. And so I think consistency and actually really doing the work is important.

Ellie Tehrani:

Let’s circle back to the security topic and talk to me about an example of a really tough decision that you’ve had to make in your experience working in this vertical and how you went about coming and arriving to that decision.

Roland Cloutier:

So many decisions, so little time. As protection specialists, it’s kind of like law enforcement says they bleed blue, this is what they do, this is what they were born for. And same thing I think in the profession I’m in, we don’t like to see bad guys win, but often you work for a commercial entity that only has so many dollars, their market is only so big and you have to make choices. Am I going to defend that, which is most important to my consumers and the protection of the organization and the shareholders, or am I going to go do that which I really want to do but maybe doesn’t have the same effect? The prioritization I think happens on a daily basis, but as you run through budget cycles and you run through critical issues that impact the business, the customers, the shareholders, and the economies you serve, you have to make risk-based decisions.

And honestly that on a yearly basis is probably the thing I’ve always found the most difficult is what do we attack? What do we push forward and why? When things drop below the line as they like to say in business, is it the right decision you made? You can make snap decisions about to investigate or not investigate or to go into a market or not in that market or so many decisions that you can make. I think that the toughest one I continue to find in my career is what will I do and not do this coming year to ensure that the commitment to the mission and to the business and to our consumers.

Ellie Tehrani:

You mentioned prioritizing and budget cuts, which is I think on top of mind for every organization these days. If you were to say the company comes to you and goes, we emphasize security, data privacy, all of it, corporate governance, however we only have X amount to spend on this, what is the most important aspect that companies should not forget to invest in?

Roland Cloutier:

Insecurity. Well, it’s a tough one. Thanks for asking that. Listen, there’s some basics, just some basics. And you’ll look at industry analysis and they say 83% of all breaches are caused by things that could have been simply prevented through basic industry standards in ensuring that the compute infrastructure has minimum viable capabilities to defend itself, what they used to call antivirus or anti-malware. Now it’s EDR and different concepts around it. You can’t operate a business without that. It’s irresponsible. So, I think that’s some of it. Monitoring. If you’re not looking at the stuff you’re claiming you’re protecting, probably you’re going to have a bad day. First, because you’re not going to see it and it’s going to cause the greater harm over the longer amount of time.

The second, you’re not going to be able to respond to it well, and it’s not good for your company, your consumers or your brand in any way or shape. So, make sure I have the minimum protection that you have the appropriate level of monitoring going on. And the last thing I will say is this, really understanding of identity within your environment. Identity is super important. It’s the basis on how we protect data. It’s a basis on how we let people have access to things. It’s the basis on how we make data movement decisions. So, identity has to be prioritized and I could go down 15 other minimum viable requirements, but I think if you’re looking for the top three, I would stick with those.

Ellie Tehrani:

And you think those apply to startups as well as larger corporations?

Roland Cloutier:

Oh hell yeah. I talked to small businesses all the time. What can I do as a small business? Listen, you’re not going to hire a chief security officer. You’re not even going to have a CIO because you are the CIO as the CEO and the business owner. But can you do simple things like make sure that every computer that your 15 employees have has Andy malware protection on it that you can get from your high speed data provider. It doesn’t matter if it’s Comcast or any one of the big ones, most of them provide, AT&T, they provide anti malware. They don’t want it on their networks as much as you don’t want it on your computers. So, do things like that. Make sure usernames and passwords are used. If you have sensitive data, get support a couple times a year from an outside third party to make sure you don’t have breaches or other problems.

And of course, tell your people it’s important. Have a policy, explain the policy the day they get hired, make sure that they attest or sign that they, they’re going to agree to it and enforce it. You don’t need money or technology to do that. You need passion to say that this is important to our company, it’s important to our customers and it’s important to the community we serve. So, it’s going to be important to us. So, please know these five things, and by the way, these things are free like on the National Cybersecurity Alliance and CSA. These things are free to small businesses. There is small business administration has free capability as well. And even Department of Education has free training material for businesses. So, the excuse of we can’t afford it doesn’t ride. If you can afford to be in business and be accountable for having people’s information, you can afford to engineer that into your operations.

Ellie Tehrani:

Really today you can’t afford not to is a reality of things.

Roland Cloutier:

True.

Ellie Tehrani:

Talk to me about true something innovative and creative that you’ve done or come up with in developing security programs.

Roland Cloutier:

I’m still a big believer in converge security. And so the term converge security is when you look at certain aspects of security risk and privacy operations where you don’t have separate organizations doing them all, you converge them into one. As you mentioned earlier, I wrote a book on it for postgrad education and the industry and as a CEO, it’s tough when you have your cyber security executive or your CISO come to you and say, this is important. And then you have a chief security officer come to you and say, this is important. And then you have head of risk come to you and say, this is important, it’s all important, but how do you look at it under one umbrella? And when you start to stovepipe disciplines across different security entities, then you start to stovepipe mission and then you start to stovepipe capabilities and you don’t have shared capabilities necessary and shared services like your risk organization should support all of them.

Your monitoring and response organization should support all of them. And so one of the innovative things that I’ve done through my career is continue to evolve and create organizational capabilities within the industry to have converged security organizations at very senior levels that drive effectiveness, cooperation, consolidation, financial responsibility and efficacy improvement through the shared use of capabilities across all of these different disciplines. And one of the things I’m most proud about. I think the better you can use your resources and assets to do the mission better and following the steps, what even our militaries have done.

When you think of the JTF operations or joint task force operations in the military, the naval group is broadcasting what they’re seeing on the ocean to the army operations on land. And the air force is broadcasting the things that they’re seeing in the sky all on one, what we would call threat surface, right? They’re sharing that information and they’re operating together under one joint command. And in businesses in security risk and privacy, you can do that too. I think why that is innovative is because most people haven’t thought that they could necessarily work operationally together. My take is you can’t afford not to.

Ellie Tehrani:

If we, I’m conscious of the time, but I have so many questions. I’m sorry. If we were to talk about security today versus security tomorrow and looking at different stakeholders, so let’s talk about going back to parents again for instance, what do you think parents can do? What do you think consumers who are concerned about other people who they might be caring for, whether they’re caregivers or parents in fact can do to protect themselves today and tomorrow? We talked about the educational piece, but what else, if you had to give a few top tips?

Roland Cloutier:

I’m worried you’re reading my email, Ellie. So, this is fun because I have an elderly parent at home here that lives with us that is part of our multi-generation family. And I realized what a slacker I’ve been recently and because he’s always conscious he doesn’t want to use my time, but over the last few weeks he had some questions about some text he was getting in some emails. And finally I sat down and I said, well, let’s talk about what you’re getting and what, what’s bugging you and that sort of thing. And I realized that I had not helped him understand the apps he was using, even folks in their seventies and eighties or using iPhones and applications today for different things that makes their life better, but they don’t understand the technologies necessary behind it or the capabilities that they have to stop their information from being shared or being very, very public.

And so one things we can do as families, starting on if we’re caregivers, is make sure that they understand what their choices are and help them through it. Because most of us grew up, especially in my generation and below with our phones, we know how to manage our apps and our technologies. We’ve kind of the first generation of folks with that level of technology. Help your families, help your neighbours. I think like anything else, if you live next to an elderly person and you see them up on a ladder, go help. If you see them trying to use technology, go help them. I mean that, that’s number one is we can use that to make everybody a little bit safe. And so that’s number one. Number two for parents, buckle up. It’s not going to get any easier. I think the basic premise of the technologies that your kids use, and many of them have the ability to have family and guardian centered capabilities.

So, what I always suggest to parents is that you make a determination based on the maturity and age of your child or the child that you’re caring for, decide when it’s appropriate for them to have technology. And going back to agreements that were developed probably 10, 15 years ago that says, if I’m going to allow you to have this technology, this is what we’re going to agree to or not, you’re the parent. If you’re not going to agree or abide by it, you’re not going to have the technology. It’s really that simple. And so start with the basic explanation of what’s right or wrong in your family’s or your home’s eyes and help them understand the why and set that law. 

Number two is be involved. This is probably dating myself, but when my kids were younger, I would be their friend on their Facebook or on their IG account.

All right. And by the way, we don’t do ghost accounts and if I find out you have a ghost account, you lose your phone for 30 days. Basic rules. I think parents are trying to enable their children to embrace technology, and by the way, they’re using all day long. They get up in the morning and they’re looking at their schedule on the television on the refrigerator. They’re doing homework on their iPad and schoolwork all day long. They’re constantly engaged in technology, understand what controls you can have on them, whether they can connect to certain sites or if it’s going, you can put safe site software, especially for the younger children so they can’t go to certain sites. So, it’s really important. Often it’s free, you just have to put it on. So, make sure that it’s your devices that your kids are using and the applications are age appropriate and that their devices are safe.

And the third thing I would say is utilise the technology that these companies are developing for you. If a company has a family engagement model that allows you to be paired to your child’s device and allows them what they can or cannot see or what they can or cannot post, use it. It is whether it takes an hour or two hours out of your life can save you years of misery of trying to clean up from what one bad actor does to your child. And so making sure that you spend a couple hours understanding the technology if you’re going to let them use it, is important. It’s table stakes in protecting our kids today because it is such an ingrained part of their life.

Ellie Tehrani:

And in terms of the businesses, through your many years of experience working with various different organizations, what is some of the key takeaways that you would tell them to better protect themselves and their customers today and into the future?

Roland Cloutier:

It’s a complex environment, and I’m going to break it up into security and privacy because I think although they’re joined, security enforces the controls that helps the privacy aspects. So, I think they’re very different. I think especially companies today, you give me a small candle manufacturing company in your basement and you’re a multinational and you’re holding certain types of data, is that seek help. I think you’re not going to be a privacy expert, I’m not a privacy expert. And make sure that you understand what your responsibilities are and what you can and cannot do specific to privacy, like seek the help, get privacy experts. You don’t have to hire people if you’re a small company, but you should seek counsel to make sure you understand, especially when it’s protected information like consumer data or financial data or health data or anything of that nature. That’s number one. On the security side, do the basics. And whether you’re a small company, a mid-size enterprise or global company, there’s a level that you should be at based on the type of data you have in the criticality of your operations.

Measure yourself, sit down and if you’re a small business, use a small business association self measurement on how your security is. If you’re large enterprise, I’m sure you’re doing this anyways, but make sure you have external third parties do assessments of your program’s capabilities and the efficacies of your controls, but test yourself and ensure that you are applying the right level of understanding of what the risk is to your company to what you’re investing. And it’s always going to be a balance and it always will, but this isn’t a do it once and forget about it. This is an every year thing. This is an everyday thing, if you will, from a security perspective. So, make sure you get the help on the privacy side and on the security side, you’re providing clear measures.

Ellie Tehrani:

Before we wrap up and is there anything else that you want to convey to our listeners?

Roland Cloutier:

Take this seriously. I mean, listen, especially in this space, when we’re collecting information to help our business, to help the consumers to help research. With great accountability comes some really great responsibility that we have in this space. And it’s not impossible. It just takes effort. And the more we can do to drive the trust of the public and the consumers, the more we’re going to be able to do to push the world forward through the use of better information and technology.

Ellie Tehrani:

Roland, I thank you so much for your time today. Thank you.

About Our Guest