In this episode of "Reimagining Cyber," Rob Aragao and Stan Wisseman welcome Adeel Saeed, discussing the importance of data protection in the evolving cybersecurity landscape. Adeel emphasizes the need to understand data sovereignty, navigate regulatory challenges like DORA, and implement a comprehensive data lifecycle strategy. The conversation delves into the nuances of technical debt related to data, the significance of cyber resilience, and the imperative for organizations to embrace a proactive approach in safeguarding their data assets.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
In this episode of "Reimagining Cyber," Rob Aragao and Stan Wisseman welcome Adeel Saeed, discussing the importance of data protection in the evolving cybersecurity landscape. Adeel emphasizes the need to understand data sovereignty, navigate regulatory challenges like DORA, and implement a comprehensive data lifecycle strategy. The conversation delves into the nuances of technical debt related to data, the significance of cyber resilience, and the imperative for organizations to embrace a proactive approach in safeguarding their data assets.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Rob Aragao: Welcome everyone to reimagining cyber. Rob here with Stan and today's special guest. We're going to have an old friend of mine, Stan, who I met several years ago in my backyard here in Boston. He was the former CISO of State Street. Previous to that he was with London Stock Exchange and now he's running the global cyber practice for resiliency at Kindrel.
[00:00:19] So I'm really looking forward to the conversation with him
[00:00:22] Stan Wisseman: today. Yeah. It's great to have him on. Today's guest, Rob, is Adeel Saeed. Hey, we're thrilled to have you on our podcast, Adeel and it's, it's great to have you finally on. Before we dive into the conversation, would you mind delving a bit more into your background as share with our listeners some of your impressive career journey?
[00:00:42] Adeel Saeed: Stan, thank you. You are too kind you and Rob. So I appreciate you having me on the podcast. It's a privilege to be here. Quick background. I know you touched on a few organizations, but primarily on the infrastructure and information security side across the organizations that you mentioned also including State Street Bank and Trust as their, [00:01:00] as their CISO.
[00:01:01] So you know, as, as we've all said, security is not by design, it's by accident. And our job is to prevent accidents from happening. So. Is baptism by fire or by fraud and error? So looking forward to this
[00:01:12] Stan Wisseman: conversation. So true. That is so true. Well, 1 area that sort of baptism by fire, I think, is just the fact that, you know, there's so much data being collected by organization and and how you govern that data and secure it is 1 of the big challenges we're faced today.
[00:01:27] That's 1 of the areas we want to focus on. And as as as organizations are trying to both monetize their data, as well as, you know, improve their decision making process leveraging that data. We also can't forget about the security and privacy aspects of that. And so can you, you know, share what you think some of these organizations are are doing as far as placing an importance on that aspect of the data collection challenge?
[00:01:56] Adeel Saeed: I think I think it's a it's a it's a never ending [00:02:00] deal, because everything revolves around data. And how you're protecting that data, whether you, I mean, it'll be, it'll be a miss for us not to mention AI in, in the conversation. It's, it's, it's all based on data. And as the regulators across the globe are catching up or are sometimes ahead of the curve in certain regulations, right.
[00:02:20] Or at least trying to manage. Not to curb the innovation, but to manage the proliferation and the avoidance of how security becomes an ultimate issue. And it's, it's it protects the ultimate consumer in this case, could be a business or, or a B2C person. At the end of the day, it's all our data, right?
[00:02:35] And how do we protect it? And that data security element has not changed. So we have historically focused on securing the data through access management or through some sort of encryption or through excessive monitoring or logging. But to follow the lineage of that day, or to be able to monitor it, manage it, and continuously validate whether the access is provided day one or still relevant day two.[00:03:00]
[00:03:00] Is, I think, a homework question for all of us, and I think, I think industries are still, or at least many organizations, if not all, are not struggling with it, but they're trying to come to terms with how regulation meets the rubber of you know, the regulatory road, as an example, so to speak. And I think we are all on that journey together.
[00:03:20] It's, it's, it hasn't been solved yet, but I think there's a very interesting Area for us all to double click on, and I think this is one area if, if, if I were to say it's not going to be done by a solution or an organization. I think it's more of an open source forum, or we all have to get our heads together to find the right streamline view of how we protect it.
[00:03:40] Yeah,
[00:03:40] Rob Aragao: it's, it's definitely more of a, a true ecosystem, if you will approach. Yeah. Right. And so speaking of regulations Thank you. I mean, Stan and I have had conversations on many topics relative to, to regulatory requirements. You know, we've, we've spanned the discussions as it relates to all of the different privacy regulations.
[00:03:59] The many that we [00:04:00] have here in the U. S. is an example of that, of course, internationally as well. The new SEC cyber rule that went into effect at the end of 2023. You know, but one deal we haven't really discussed is DORA, right? The Digital Operation Resiliency Act, and it's coming out of the EU, right?
[00:04:15] Now that's going to go into effect. January of 2025. But you know, the way I'm reading interpreting, I want to get your thoughts on this is that it's yet another lever that really again, regulators are trying to leverage as taking kind of aim at the leadership and the boards of organizations to help better drive cyber security principles, capabilities and prove that you're really doing these things back at them very directly.
[00:04:42] So I wanted to get your thoughts kind of at a, you know, at a high level On your interpretation of Dora and some of the things that you see coming out of it and opportunities that can present
[00:04:51] Adeel Saeed: absolutely. Well, that's a Dora is an interesting paradigm. And I think we have all been flirting around with third party risk management for [00:05:00] based on different industries that we have been, whether it's regulatory, non regulatory, and there hasn't been a global impetus.
[00:05:07] To say the least, on how are you managing risk from the dependency that you have in your wider ecosystem, be it vendors, suppliers, or critical service providers. And I think what DORA is is is trying to accomplish is exactly that, right? How are you managing the overall risk posture of your environment on the key dependency that you have, and not just a logistics based risk or financial risk, which many companies used to do from a TPRM perspective.
[00:05:34] It's more a continuous risk of how you have the ability first to map your ecosystem in a right, in a diligent manner, identify those exact critical service providers or providers in your ecosystem and being able to manage it. So I think it's exciting times. And, and, and regulatory you know, impetus and exciting times might be might, might be an oxymoron or might be opposites.
[00:05:56] But, but I think in, in, in this particular instance, Robinson, [00:06:00] I think what we are seeing is there's a lot of work happening in the background where Many organizations in performing a variety of assessments that they normally perform, right? Compliance assessments or third party risk assessments, or even SOC compliance as an example, is all coming together at least one framework.
[00:06:17] So credit to DORA, right? First, to at least set the guardrails because before it was subject to interpretation. What's good, what's not. Now at least you have a set of guidelines, right, to follow or which are going to evolve over time, right, as we live and learn, no different than GDPR. But at least it sets the standard on what an organization needs to do to safeguard them.
[00:06:37] No different to what you mentioned on the SEC side, right, the, the reporting. It's crystal clear in what time frame you have to report a particular incident and the guardrails of those incidents. And I think Dora is leading towards that almost with another angle coming back. And so. This gives two, if, if you may, this gives two supporting elements to any security professional within any organization.
[00:06:58] It gives them the opportunity [00:07:00] to get what they actually want in order to get their framework done, right, which is always a challenge. Budget, resources, and also with this will come with a lot of tools and services which companies can provide on top of that when these, and these CISOs or CIOs will get that.
[00:07:14] Required funding in order for them to be able to get compliant with this regulation. And
[00:07:19] Stan Wisseman: again, it's it's nice to have that clarity because the business can then act. Because you didn't know what you need to do. One other area, another issue that is coming up frequently is this whole issue of data sovereignty, right?
[00:07:35] And some of the challenges around it. And for our listeners who aren't familiar with the concept of data sovereignty it refers to the idea of a country or a jurisdiction that has authority and the rights to govern and control the data generated within its borders, right? And so You know, could you share some of the best practices that organizations should adopt when, you know, they're [00:08:00] addressing, you know, their, their desire to roll out a service or, you know, have infrastructure and different jurisdictions, and at the same time, be cognizant of data, data, sovereignty impact.
[00:08:15] Adeel Saeed: Stan, it's a, it's a very it's, it's not, it's not new, but it is new. Right to to say the least data sovereignty as as we are evolving. And I think and I think some of us, including myself have confused that data sovereignty piece with Data privacy and data residency, or at least taken both of them in different contexts, again, subject to interpretation.
[00:08:36] But what data sovereignty is driving this? Almost like, and I'm going to use cloud as a good example of this, right? A sovereign cloud infrastructure set, which is hosted in a particular jurisdiction or geography. And only the constituents of that geography that might be related to that by birth, by nationality, or by wisdom, or by allocation have [00:09:00] access to that, right?
[00:09:01] And then at that stage, do those individuals or services have access to it outside of that jurisdiction is still subject to interpretation. Right. That's where the privacy kind of comes into play is can I access my sovereign cloud, which might be in country X if I'm in country Y. Those are still subject to interpretation to different countries.
[00:09:19] So just double clicking on that. Infrastructure locally hosted in a data center that's only accessible to those in a data center. I think we've all been through that a little bit. Now it's being evolved to call data sovereignty. Sovereign clouds are coming up in different countries. I think we're seeing proliferation of that.
[00:09:35] And to say the least, that's because everyone is trying to avoid. Who has the right to access the data in an eventuality if something happens, something good or something bad happens? What's the reach around? How far can you reach into someone's data privacy? As an example, if you use California's you know, CCPA law, if your data is stored anywhere, there's a California constituent in there, you have to comply with it.
[00:09:57] Otherwise you will have a potential, you know, fine [00:10:00] associated with it if you have not cleared that data. So using sovereign cloud as an example, I think one of the things that at least Based on my experience and based on what we're seeing, at least speaking with some of my peers, is you need to be able to understand not just setting up an infrastructure which caters to that jurisdiction, but also the right level of technologies and control, be it tokenization, be it encryption, or be it the amount like encryption, It's not that it's one and done.
[00:10:27] How do you control the data movement, which is in none of our controls, unless you're managing security at a data level, not just at a network or an infrastructure level. So the origination of that, the retention of that, and then the dissemination of that and the demolition, the entire cradle to grave life cycle of data, I think, is a key element.
[00:10:47] In data sovereignty and no one solution fits it.
[00:10:50] Stan Wisseman: You have to think that through right up front in the design, because you don't want to do it after the fact, after you've deployed and implemented, because then you may have [00:11:00] to rethink how you actually built your infrastructure and deployed it, much less that top layer that you were talking about as far as the access governance to the data.
[00:11:11] Anyway, I think it's a
[00:11:13] Adeel Saeed: complicated problem. And I, I, I totally agree with you and you can see a little bit of passion in this is because you're absolutely right. It, it, you have to do it from the ground up, but the ground reality is not many sovereign you know, data sovereignty request are not on anything new.
[00:11:32] They have to cover legacy as well. Right. And I think that's our collective challenge as an industry to kind of solve for. So that's a good, interesting conversation for some time.
[00:11:40] Rob Aragao: That kind of leads us into what I like to talk about next. But before I do that, I think you just. Made something very clear for the audience, that distinction between data sovereignty and data residency.
[00:11:53] They are two different things. And I think the way you explained it was very clear to really distinguish the two. But getting into that next kind [00:12:00] of set of, of, of a conversation that takes us into data and data as it serves potentially as technical debt, and the reality is heavy costs and a lot of risk comes along with that.
[00:12:12] And to your point, many organizations hold onto data. A lot longer than they should there's requirements in place, you know, with HIPAA, for example, that you should hold on to it for a specific time. You're required to do so. That's fine. Many organizations, large organizations that do a lot of MNA activity.
[00:12:28] They inherit these systems applications along with the data set supporting them, and they don't necessarily go back and assess, you know, where are there areas that we actually can minimize. Some of those data sets that are out there, because again, they're all they're doing is adding costs and additional risk, right?
[00:12:44] God forbid those systems are breached. And we should have never even had that data still held in place out there available for someone to get to. So I kind of look at that again as, you know, avenues of opportunity. Of where we can actually apply really that life cycle approach, because as you said, it's, it's, it's [00:13:00] easy when it's at inception of a new project, a new solution that we're bringing to market, let's be at the front end, let's be aware of what's happening.
[00:13:08] And now it's truly that life cycle, but there is so much legacy, you know, inserting ourselves kind of somewhere in the process has to take us back to discovering understanding what we're actually already have being able to apply classification to that. You earlier mentioned, you know, the data lineage. I mean, the.
[00:13:23] So many different elements that come into play when we talk about data. What I want to kind of delve into a deal is when you look at that as a framework, as it relates to how do we approach this in reducing that technical debt? What do you think about? What are some of the requirements or kind of recommendations that you drive at in discussions?
[00:13:42] Adeel Saeed: You know what comes to my mind is you can never get rid of data. It's that, it's just there with you for life. But but Rob, to answer your question, and by the way, thank you for that summary. That was very eloquent. It, it kind of helps drive a lot of clarity. I think you know, technical debt or data debt [00:14:00] has a lifeline associated with it.
[00:14:01] What's untested so far is the regulatory reach of that data. What happens if you do something with it, right? Everything has a lifeline. But with the new regulations coming out in some cases, you just, you used healthcare data as an example right? Some jurisdictions have certain you know expir expiration dates associated with it.
[00:14:20] But that doesn't, that does not get rid of the meditator that already exists in your system, right? You're not getting rid of that. So I, I believe if you go on to a modernization approach, and that word has been used loosely and heavily across the industries, various industries, you know, I've been hearing about that for the last 10 years.
[00:14:35] But if you really look at modernization, it is converting that legacy infrastructure or legacy debt to a more modern infrastructure. And organizations that are banking on that modernization effort, I think it's a prime opportunity for them to start from ground zero. Ground zero in the sense is point in time, and historically, if you remember, Rob and Stan, we used to do like, you know, you're putting a new backup solution in place.
[00:14:58] You're like, well, at this [00:15:00] date, all this data will be available through six means of access and everything new will be here. So you had two screens. Over time, companies stopped doing that due to the inefficiency. I think some of those old habits have to come back. Right? Which is, this is sitting over here, it's archived, but it's not going to be archived anymore.
[00:15:16] Right? So you fit that criteria. And I think because storage became cheaper, cloud has proliferated, everyone has access to unlimited storage instead of a USB drive anymore. I think that is driven. So, simple answer over there, Rob, might not be fun. But we have to go back to the basics, right? Which is point in time, cut it off and move on.
[00:15:35] Because I don't, I have, I have, I have yet to see anything that kind of helps solve that problem. But it's a, it's a, it's another interesting problem for us to socialize and, and discuss if there is an opportunity for it to be reviewed from a technical standpoint.
[00:15:49] Stan Wisseman: You know, this technical debt is also a potential entry point for attackers, right?
[00:15:54] Yep. You know, if, if, if you aren't actively [00:16:00] using. These older systems or the, you may have legacy data architectures. You may have incompatible data formats or inefficient data processing practices that again, may not be a point of focus for the organization. Doesn't really matter to the bad actors, right?
[00:16:17] They can take advantage of that, even if you're not. Focused on that at the moment, they can still in the environment, take advantage of those, those legacy aspects of this, of your environment to be able to, to exploit and potentially even, you know, launch ransomware attacks. So I, I, I guess. In that context of this multifaceted kind of problem how do you you know, safeguard your data effectively?
[00:16:42] And again, you know, one of the biggest pain points organizations face today is the threat of ransomware. And, and in the context of having a mature data, Strategy, including backups and archiving that hopefully are immune to ransomware bears that [00:17:00] are typically trying to subvert your controls. What, what do you recommend as a strategy?
[00:17:05] KYC
[00:17:06] Adeel Saeed: is a term that's used a lot, right? Know your customer from a compliance perspective. I think we've all come to terms over the last 10 years based on the geopolitical influence in the world. And that's just because to know who is who and are you really who you are. Which kind of leads to Zero Trust, which has been used loosely, which is a framework, started off as a framework, became a solution, but it's still a framework that many companies struggle with because it's, it's so massive that they're like, where do we start?
[00:17:33] I think, Stan, to answer your question, KYC to Zero Trust, I call it KYD, know your data. One of the, one of the key elements is know where your data is, that mapping exercise of identifying your data. And then safeguarding it using zero trust principles, right, needs to KYC knowing where your customer is.
[00:17:53] So if you go reverse in that order, until you know that, you, it's very hard for you to understand what it [00:18:00] is. And I think having a committed set of resources to perform that task, which might sound meaningful, can actually pay dividends because that is the crux of anything that any organization is trying to do, protect your data, right, and kind of leads that.
[00:18:15] That would be the short form answer for that, and I think we should
[00:18:19] Rob Aragao: do that. It brings up a very key point, Adil, which is, I've seen too many a time where organizations have taken kind of the priority being around how they protect the data. For more of an encryption, data masking tokenization kind of principle, if you will.
[00:18:34] And they, again, they take that as the priority. They want to do that first. And, and, and I questioned them, but do you even know what data you have to actually properly protect? And the answer is kind of, eh, I think I know the things that I need to protect, but yeah, I probably don't know all of that. So it's like, where should you really be investing first?
[00:18:53] Right? So again, that goes back to what you're talking about. It's like, you need to have visibility, understanding of what actual data you have, how to categorize it or classify [00:19:00] it, align it to the business. What the business is stating is important to them that a sense of information and now you can apply the right protection schemes supporting the need of that classification, if you will, for that data.
[00:19:11] And again, that goes back to your earlier core discussion point around. This is a life cycle approach. So it's continuous. You're always going through that. Now one of the things that. As we were talking about the topic of data today, that ties back into kind of the foundation of why Stan and I actually created this podcast about three years ago is the topic of cyber resilience.
[00:19:31] And so, obviously, cyber resiliency is a core theme that we've been pushing very heavily. You are a major proponent of cyber resilience, which we appreciate. And I would love to have your kind of perspective of guidance to the audience. Of the principles and the best approaches to help cast out shaping and reshaping.
[00:19:50] In many cases, the cyber security kind of posture transition to a more of a cyber resilient approach.
[00:19:57] Adeel Saeed: I appreciate it. Rob. And I think it's a, it's a great [00:20:00] opportunity. As I mentioned, beginning to sit with you and stand to kind of help share and learn from our, our, our colleagues in the wider spectrum. One thing that I've learned the hardware resiliency is not recovered and resiliency is not just backup business.
[00:20:13] Continuity is a core element, but that's not cyber resiliency to be resilient is to understand your weak points where your weaknesses are and which are the areas you need to focus on. So food for thought and apologies if I'm being repetitive is to understand your environment. Number one risk management risk rated which which application systems services is.
[00:20:34] need to be there in order for the business to operate. That's the first and fundamental rule of thumb. Don't go after, you know, email as a core. Let's say we are, we're going to have two email systems. One is going to be here. This is totally resilient. That's, that's a great way of starting, but at least understanding your inventory of where you are risk weighted.
[00:20:51] No different to BCP principles. But adding on top of that is to understand your resiliency posture. Is what your threat vectors are, attack [00:21:00] vectors are, and how you can actually protect them in order to safeguard the data. Understand the attack vector means you should be able to know that this data could be subject to malware or ransomware which totally throws your resiliency posture out the way because you might have done a test, but that synchronous replication, which is in a second, might actually not cause you to do that.
[00:21:19] So know your RTOs, right? Know your RPOs at a point in time. Make sure you design your, make sure you design your infrastructure, not end to end, but at least your core systems to be resilient enough to have this air gapping technology or validation technology goes back to the know your data example, because you can bring up a system.
[00:21:38] But if your data is all gone, there's absolutely no reason to bring that system up. And then don't go with traditional measures, you know, having, you know, primary, secondary, it works. It's great. It's great from a backup perspective, but it's not necessarily resilient. Defense in depth, which we have used in the security world for so long sometimes, you know, not, does not get the respect that it needs.
[00:21:59] It [00:22:00] actually does work, right? In having different solutions, being your primary and your secondary to add to that resiliency, because resiliency is not just an application and data. Resiliency is also on the infrastructure, right? Or the network or the services that you depend on. So, spot on cyber resiliency, core to all of us.
[00:22:17] You know, and and the most and last but not least without sounding like a broken record is you can have all the solution, but without effective testing and effective validation is as good as not having it at all, but updating that and not the old school way of, you know, keeping an Excel spreadsheet validation of that.
[00:22:35] That's great, but systematic approach, the right solutions, whether it's technical services, is. Or infrastructure, they should be in place and kept up to date to manage your residency posture and having that done twice a year or if not more is the way to go a deal. Would you add
[00:22:52] Stan Wisseman: to that? Definitely, it's a great definition of of what needs to be done, but how you.
[00:22:58] Evolve or adapt [00:23:00] to the threat. I mean, granted, you are understanding the attack vectors, but those can change over time. And so you also are needing to continuously monitor what's new. Right?
[00:23:11] Adeel Saeed: Well, I absolutely stand. And thank you for that. I think I think the evolution or let's look at zero day threats, right?
[00:23:18] And I think, I think one of the things that we should focus on, which can some, sometimes you can solve for this. How do we avoid that zero day threat? Let's say if an organization gets impacted by that, but there is no remedy for it. Right. And you have planned your, your, your resiliency around your infrastructure, your system to be able to recover is one other, one of the options to you have, can you, can you fail over to another solution, which has always been that right?
[00:23:45] Old school days, you know, hot and cold backups, right? You have a hot side and you have a cold side. Cold side is as, and I think it's coming back. Right. That that goal site concept of this is my most pristine data that's there. I might not have real [00:24:00] time information, but I will be able to have a resiliency posture.
[00:24:03] I can bring the data set up or I can bring my application up. back the next day. Now, it's some, some might say it's, it's radical, but that might be another course of action to take in this case, because escaping a zero day attack is something that we all fear about. And unless you have invested heavily, heavily, heavily in segregating that, you still have that insider risk, you still have that insider proliferation.
[00:24:28] So the vectors are so vast, and it's, it's almost like, let's get the basics right. Right. And where there is room for improvement, let's try to go the extra mile to kind of set, as you mentioned, you know, look, look for that vector, which you can't really conquer at this stage.
[00:24:43] Stan Wisseman: Got it.
[00:24:44] Rob Aragao: Thank you. And just to kind of close out on the cyber resiliency piece there, too, at the end of the day, it's as you kind of tied back into, it's minimizing the impact as best possible.
[00:24:53] Right. But the, the aspect of cyber resilience to me, and over the past few years, I think, has [00:25:00] finally received the buy in. That we focus in from the technology side of the house from the executives and board level specifically because. They understand resilience. They understand operational resilience. So now we're actually speak.
[00:25:14] Finally, we're speaking in their language, right? Absolutely. And it's understood and we boil it down to the kind of 4 key goals of resiliency as it relates to the cyber requirements and they get it. They interpret it like, yeah, that's, that's my business operational resiliency model. It's applied to cyber.
[00:25:28] Now it makes sense. Right? So, so I think it's made a lot of great progression and it's finally starting to open up the way we should be conversing properly with the board and And the buy in that it deserves. So Adil, we greatly appreciate your time coming on. We know we can talk with you about not only this topic, many, many topics for many hours.
[00:25:46] But we, you know, we decided to focus in on the topic of data and you did a great job in helping paint the picture for everyone listening here, what you're thinking about, what you're seeing out there. So we appreciate that. Thanks for coming on.