PODCAST: Cyber Security
Welcome to Just Clarity, a periodic podcast about Digital. Just Clarity is produced by the team at Digital Clarity Group. We help leaders transform the experience they deliver to customers, prospects, and their employees through the effective selection, integration, and adoption of customer experience management technology. Learn more at digitalclaritygroup.com
In this episode of Just Clarity, Connie Moore interviews Juanita Koilpillai, the CEO of Waverly Labs on the subject of Cyber Security.
Connie Moore (CM): Hello I’m Connie Moore, Senior Vice President of Research at Digital Clarity Group and I’m delighted to have as my podcast topic today what customer experience leaders need to know about cyber security and I have a guest who has a very extensive background in cyber security. My guest is Juanita Koilpillai and she is the CEO of Waverly Labs which is a software and services company in the cyber security space. Also Juanita is one of the original leaders in establishing the Digital Risk Management Institute which is a non-profit organization that’s purpose is to expand the amount of knowledge around digital risk and cyber security and to help business leaders know how cyber security fits into the business landscape. So Juanita welcome.
Juanita Koilpillai (JK): Well thank you Connie, I’m happy to be chatting about this conversation.
CM: Yes we have been talking about it for a while and I guess I would like to start out by giving it a little bit of a preamble because folks on the customer experience side, the leaders of Customer Experience Management initiatives, maybe actually scratching their heads are somewhat curious about why we’re talking about cyber security because it seems so far afield of customer experience management. I actually went to a conference recently where everyone was at a minimum, a Director or Vice President level as well as we had a number of CMO’s and I asked a few of the participants at the conference who work for companies that I knew had had security breaches, and I asked them how they were working with the risk leaders and security leaders to address this, and they just kind of looked at me blankly and said, “We’re not.” So I think it is a very interconnected subject and I’d like this podcast to explore that and explain to our listeners why this is an important thing to be bringing closer together.
So Juanita what is your experience? I know you work with the enterprises all the time that are either very concerned about breaches or have experience breaches. What connection do you see between the two topics?
JK: So currently this whole conversation is very nascent with an organization at the executive level. It’s only been since 2015 when the board has started to get involved, CEO’s have been fired over cyber breaches, and the topic is new and people are trying to figure out how to have that conversation, what does cyber security look like for my business? And up till now it’s been up to the IT department, IT teams, Sysadmins, and CIO’s who have had this conversation, but bubbling it up to the board, to the executive team, to across the silos within organizations. It’s still a new conversation.
So we at the Digital Risk Management Institute are trying to create and help with that conversation what it should look like.
CM: And you have actually worked with companies that have gone into a panic after a security breach and you’ve observed some of the steps that they’ve taken. Now as far as I’m concerned, as a customer of a company that’s had a security breach where my information is out there somewhere in the digital world, that’s about a frightening as it gets. So how do you see companies that are actually in the firing zone and are going through these breaches, how do you see them reacting and where do the customers fit on their list of things that are really important to take care of?
JK: It’s only been in the last year where that conversation has started to happen right? Now that we’ve seen the breaches being massive. Some companies like Northrop Grumman had a massive breach. They didn’t see any change in their stock price, whereas Sony was devastated when they had their breach and it’s taken three to four years to get back to the stock price that they had been in. So more and more companies are saying, “We need to figure out, when we have a breach, what our plan is, how do we talk to the customers, what do we rule out, how much do we say?” and you can imagine when you get the legal teams involved and the risk officers involved and stock prices are at stake, this conversation is still pretty new right? The strong CEO that’s bold will stand up and take responsibility and calm fears and talk to the customers and orchestrate it, but there are some CEO’s that are not prepared, not ready. So we’ll see that change happen soon, sooner than later. We’re seeing a lot of law firms getting involved as to what data they need to share, what information they need to put out, what the responsibility is and you see the legal teams, really preparing their companies anymore to actually put the world out, right? What is the press release going to be, how are we going to talk about it to the outside world and the community at large.
So we’re going to see some changes and people are starting to look at how do we respond when we have a breach in a public way.
CM: Yes, you know I just happened to have been involved in two breaches. One was Anthem the insurance company, and when I read about it in the newspaper it was like, “Uh oh, I do business with these guys and they have a lot of private medical information”, and I thought, “Oh boy, what exactly does this mean?” And I had no idea what it meant, and the first thing that happened is I got a really terse, short, brief letter saying, “My records have been breached and they just wanted me to know that my records have been breached”. It was a horrible feeling because it was such… I even remember it was visually ugly, it was not well laid out with a nice font with nice letterhead. If I recall it correctly or at least my memory have distorted it into just this little terse, one page, not very interesting to look at thing saying, “Your records have been breached”, and I was like, “Okay, what now?” It took a long time, I really have to say it, it took a long time for them to send me what I thought was a proper communications with the customer and proactive steps to take, including Lifelock and I don’t know, just guarding information, being on the lookout for unusual things that may been happening in my credit cards and things like that, and I would say it was inadequate, very inadequate, and I think maybe this is typical?
JK: Yeah I would like to see it more like a recall on a vehicle right? You get a recall, you go to the dealership and you get it fixed, and it’s taken care of. You get a notification and you do something about it. With customer experience, who do you call? Most companies don’t have helpdesk anymore or the place where customers can call right always because a lot of is recorded and automated anymore, and besides when your posted information has been stolen, what can they do? Are they going to issue you a new social security number? No. There are other agencies that have to get involved. The federal government has to have its policies in place. So there are many things that have to come together and people are working on it really hard, and our federal government needs to have a policy for how they can help consumers when, you know and the consumer protection bureaus have not got involved in this yet right? That conversation has not happen and they need to.
CM: Yes and the federal government needs to pay attention to its own way of handling this like it’s had some massive breaches. The office of personnel and management. You and I Juanita, we live in Washington DC, just about everybody was hit in some way or the other, and there was very little guidance about what to do, but let’s shift gears for a minute. This is after the breach has happened. What you and cyber security specialists are focusing on is how to prevent it in the first place right? And tell me if I’m right about, you work with risk management executives and you work with security management executives and they’re not the same people and they don’t have the same agenda.
JK: That is correct, so they need to talk because the enterprise security managers, especially in large organizations, small companies it’s a little different, but large companies have enterprise security managers who are tasked with insuring their risk exposure is minimal right?
JK: Today from a financial perspective, they will be soon taking on the role of digital risk as well, managing digital risk and what does that look like and how do you have the conversation with the cyber security teams. Can you talk about failures in your organization based on the risk of going online, the risk office is more open to have that conversation versus talking about the vulnerabilities and threats which they probably don’t care about or understand as much and so, having a simpler conversation so that the enterprise security manager can’t just worry about the physical and the financial risk, but also now add to his arsenal, how am I going to deal with the digital threat, then that would be a good thing.
So as you can imagine, the expertise that the enterprise risk manager needs to have is a little different right? They need to have a little more technical background or training, or the conversation itself so they are more comfortable guiding organizations on what to do, so that it’s driven top down right? As opposed to doing it after the fact. So you have a plan in place, you’ve assessed your risk, you’ve figured out how to reduce your risk exposure and drive that conversation so that the security teams and IT teams know where to focus, how to prioritise the solutions and implement them in a way that reduces risk far better than what we’re doing today right? Today we’re trying to protect the whole organization whereas if the enterprise risk manager steps in, he can say these are the most critical assets, these need to be protected first, the cyber security teams can do that.
CM: And that’s where I think that the customer experience leaders come into the picture and yet I imagine it would be a massive effort to get all these players working together if the cyber security and the risk professionals are still trying to collaborate with one another, bringing in the customer experience leaders is another piece of the collaboration. How do you do that? How do you do that?
JK: So we say the time is right today to bring security, privacy, and trust together right? And integrate it, make it an integral because trust in an organization is huge right?
JK: So bringing the privacy advocates so that the users privacy is protected, while at the same time the security is implemented right? So the security people lock everything down and the privacy people say, “Well my users need access to their information”, right? And then the customer experience says, while we’re doing that, the customers need to trust us. So these technologies and legal frameworks exist, it’s a matter of integrating them within an organization right? And within a legal framework which exists today, it’s just that we haven’t implemented and integrated these concepts in an organization, that’s what’s going to make it better, right?
CM: Yes, I agree, and I’m intrigued by your mentioning of trust and privacy because this is one way I came to the subject is that, you know websites when they first got created were just really mainly about publishing content, having information available. Then as they became more advanced, they moved into personalization, giving integrated experience to the person looking for content, doing electronic commerce and so forth. So all that personalization information is collected, and there you get into trust and privacy, and it goes well beyond that because now you have ad tracking, and what did the person read, what have they been looking at, what are the analytics regarding that individual’s behavior, and we haven’t even gotten to the really invasive part which is facial recognition, the cognitive systems and data, very intimately connected to the person.
So from a customer experience point of view, it’s imperative to go beyond what’s that experience to the customer, but what’s happening to that data? Who owns that data, who’s using that data, what do you want to prevent ever happening to that data and then you have European regulations happening right now to make the privacy much more restricted, more things are private. Access is restricted.
So I kind of see if you were to imagine this round thing in the middle called privacy and on the left hand side is the customer experience leader following the trail: Content, personalization, ad tracking, behavior, analytics, and so forth and boom! They get to privacy, this is a big issue. Then I see the security people and the risk people coming at it from the right side and they keep following the trail and boom! They get to privacy. So there is a shared interest and their privacy is the really huge thing that these two diverse fields where they start coming together and have to come together.
JK: Correct and in Europe they’ve passed laws about privacy right? That the data has to reside in the country that it was originated and they would have to know when that data is traveling somewhere else, and so for the cloud vendors it’s very difficult, and one of the cloud vendors actually was smart enough to create a local trust organization, you know, that a partner who was responsible for managing the data. So it’s like a trustee of your data, right?
JK: So that was very clever I thought to bring in a trustee and say, “This organization is going to own the data, we cloud vendor, can prove that the data has not traveled to another country or to the US”. So the data trust’s model is taking shape. It’s going to happen real fast in the healthcare industry and it has to happen real fast in the healthcare industry just because of you know people moving to electronic health records and so this concept of for data trust’s, which is a legal framework, is going to be good with e-consent forms, you know the federal government is already talking about doing electronic consent and customers will say, “Yup they can access my data or no, or I can see where my data is and I know who’s touched it,” Right? So that kind of transparency is where we’re going to see the industry moving.
CM: Yes I think so, and this trustee model is interesting because I think it helps solve the problem and it also is a business opportunity for companies. I’m going to ask you something that’s kind of a little more out there, but we’re so in the cusp of so many new technologies being here. So in of other things: Drones, wearables, your apple watch, there’s a real risk of someone picking up personal information from your Apple watch. A GPS on your phone, you can have geo location services that can tell some seller a whole amount of information about where you are and what you’re doing. Do you see the proliferation of these new technologies and new approaches for managing information, just the sheer volume of information increasing, do you see this as really problematic or do you think it will fold into the security frameworks that organizations are already working out.
JK: Yes. Organizations are going to morph and evolve and they’re going to be forced to adopt newer architectures like the software defined perimeter for example, to really take advantage of the changing perimeter right? With these proliferation of devices, your perimeter is no longer fixed within a building right? All over.
JK: And it morphs as people move and travel. So yeah, I see us evolving. I see a lot of new technologies coming out, plus the cloud has really made that shift easier and now people are focused on how do we make that secure and private and how do we trust our data in the cloud.
CM: Yes so it really, I think makes the argument that it’s important to get the various leaders within an enterprise working together, working in a collaborative way. It isn’t like it’s a heavy lift and they have to work side by side, day after day after day, but they do need to be aware of what each other is doing. They do need to be aware of the criticality of privacy across the organization. It hits all the departments, whether you’re customer experience leader or a security and risk leader, and I think getting that dialogue going and getting that awareness going sooner than later is very important. You want to do it before you have security issues, trust issues, breaches, you want to get it worked out and planned for in advance, and that will get you, if not competitive advantage, it will at least help organizations avoid competitive disadvantage.
CM: Well, Juanita I thank you so much for joining us today and I want to once again mention the Digital Risk Management Institute. It is a good place and a good source of information about the typical risk issues as well as the edgy, more you know, thought provoking risk issues and solutions as well. So thank you and I look forward to having you back in the future.
You have been listening to another episode of Just Clarity. Produced by the team at Digital Clarity Group. For more information on the topics we discussed today or the subject of customer experience management, please contact us.