Inside Out Security

In April of 2013, after a short stint as a professional baseball player, Sean Campbell started working at Varonis as a Corporate Systems Engineer. Currently a Systems Engineer for New York and New Jersey, he is responsible for uncovering and understanding the business requirements of both prospective and existing customers across a wide range of verticals. This involves many introductory presentations, proof of concept installations, integration expansion discussions, and even the technical development of Varonis channel partners. Sean also leads a team of subject matter experts(SME) for our innovative DatAlert platform. According to his manager Ben Lui: Sean Campbell is one of the most talented engineers on my team. He is the regional DatAlert SME and bridged valuable feedback from both customers and the field back to product management. Sean is also an excellent team player and excels at identifying critical data exposure during customer engagements. Overall, Sean is a key contributor to the Varonis organization.” The fast paced environment, challenge of data security, and the fact that the sales cycle is far from “cookie cutter” is what Sean enjoys most about his role here. He also values the relationships he has been given the ability to build up over the years on both the Varonis and customer side.

Data protectionism - restricting the movement of data between countries - will be an option that governments will elect to implement in the upcoming months and years. As the world economy become more data-driven, impacting global GDPs, they will soon find their way into trade deals, requiring data to be held in servers inside certain countries.

Medical devices are a good example of what computerized assistants might face in the future. Yes, medical devices can save lives and certainly serve a more noble cause than outsourcing tedious tasks, but the security aspect of these life-saving pacemakers and defibrillators still require firmware updates. Seems that we still haven’t learned our lesson: embed security at the initial stages of design.

If you’ve ever seen Technical Evangelist Brian Vecci present, his passion for Varonis is palpable. He makes presenting look effortless and easy, but as we all know excellence requires a complete devotion to the craft. I recently spoke to him to gain insight into his work and to shed light on his process as a presenter. “When I first started presenting for Varonis, I’d have the presentation open on one half of the screen and Evernote open on the other half and actually write out every word I was going to say for each slide,” said Brian. From there, he improvises from the script. “I’d often change things up while presenting based on people’s reactions or questions, but the process of actually writing everything out first made responding and reacting and changing the presentation a lot easier. I still do that, especially for new presentations.”

Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She's in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In the second part of our interview, Sara will talk about the relationship between HR data and Data Protection Impact Assessments (DPIAs).

In part two of my interview with Varonis CFO & COO Guy Melamed, we get into the specifics with data breaches, breach notification and the stock price. What’s clear from our conversation is that you can no longer ignore the risks of a potential breach. There are many ways you can reduce risk. However, if you choose not to take action, minimally, at least have a conversation about it. Also, around 5:11, I asked a question about IT pros who might need some help getting budget. There’s a story that might help.

A popular catchphrase amongst IT pros is: “It’s a no brainer.” When an idea presented is expressed as a no brainer, it’s assumed that the idea has obvious value, when processes and strategic decisions are more complicated than it appears. So when it comes to cybersecurity, not everything is a no brainer. Far from it.

Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She's in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In this first part of the interview, we learn from Sara that some US companies will be in for a surprise when they learn that all the GPDR security rules will apply to internal employee records. The GPDR's consent requirements, though, are especially tricky for employees.

Recently, the SEC issued guidance on cybersecurity disclosures, requesting public companies to report data security risk and incidents that have a “material impact” for which reasonable investors would want to know about. How does the latest guidance impact a CFO’s responsibility in preventing data breaches?  Luckily, I was able to speak with Varonis’ CFO and COO Guy Melamed on his perspective. In part one of my interview with Guy, we discuss the role a CFO has in preventing insider threats and cyberattacks and why companies might not take action until they see how vulnerable they are with their own data. An interview well worth your time, by the end of the podcast, you’ll have a better understanding of what IT pros, finance, legal and HR have on their minds.

In part two of my interview with Delft University of Technology’s assistant professor of cyber risk, Dr. Wolter Pieters, we continue our discussion on transparency versus secrecy in security. We also cover ways organizations can present themselves as trustworthy. How? Be very clear about managing expectations. Declare your principles so that end users can trust that you’ll be executing by the principles you advocate. Lastly, have a plan for know what to do when something goes wrong. And of course there’s a caveat, Wolter reminds us that there’s also a very important place in this world for ethical hackers. Why? Not all security issues can be solved during the design stage.

This week, we talk about our annual data risk assessment report and sensitive files open to every employee! 41% of companies are vulnerable. The latest finding put organizations at risk as unsecure folders give attackers easy access to business roadmaps, intellectual property, financial and health data, and more. We even discussed how data open to everyone in an organization relates to user-generated data shared with 3rd party apps. Is it a data security or privacy problem? The panelists think it’s a breach of confidence.

We’re all counting down to the RSA Conference  in San Francisco April 16 – 20, where you can connect with the best technology, trends and people that will protect our digital world. Attendees will receive a Varonis branded baseball hat and will be entered into a $50 gift card raffle drawing for listening to our presentation in our North Hall booth (#3210). Attendees that visit us in the South Hall (#417) will receive a car vent cell phone holder. In addition to stopping by our booth, below are sessions you should consider attending. You’ll gain important insights into best security practices and data breach prevention tips, while learning how to navigate a constantly evolving business climate.

In part one of my interview with Delft University of Technology’s assistant professor of cyber risk, Dr. Wolter Pieters, we learn about the fundamentals of ethics as it relates to new technology, starting with the trolley problem. A thought experiment on ethics, it’s an important lesson in the world of self-driving cars and the course of action the computer on wheels would have to take when faced with potential life threatening consequences.

Prior to Varonis, Elena Khasanova worked in back end IT for large organizations. She did a bit of coding, database administration, project management, but was ready for more responsibility and challenges. So seven years ago, she made the move to New York City from Madison, Wisconsin to join the professional services department at Varonis. With limited experience speaking with external customers and basic training, Varonis entrusted her to deploy products as well as present to customers. Elena recalls, “Not every company will give you a chance to talk to external customers without prior experience….But it was Varonis that gave me that chance.” According to her manager, Ken Spinner: “Over the last 6 years, I’ve had the pleasure of working with Elena, first as a coworker in different departments, and most recently as the leader of our Remediation Team in our Professional Services department. Elena was uniquely qualified to lead the team as she had significant experience performing project management prior to planning and completing our first remediation projects. Elena’s knowledge was instrumental in defining the essence of the Varonis Data Risk Assessment, the process used by PS to perform remediation, as well as providing practical insight to Engineering during the development of the Automation Engine.”

In the midst of our nationwide debate on social media companies limiting third party apps’ access to user data, let’s not forget that companies have been publicly declaring who collects our data and what they do with it. Why? These companies have been preparing for GDPR, the new EU General Data Protection Regulation as it will go into effect on May 25th. This new EU law is a way to give consumers certain rights over their data while also placing security obligations on companies holding their data. In this episode of our podcast, we’ve found that even disclosures, such as Paypal’s, leave us with more questions than answers. But, as we’ve discussed in our last episode, details matter.