The Future of Data Privacy in a Digital World

hey everybody this is Tony UV CEO at versprite and I am very honored to be your keynote speaker to close out bsides Goa 2024 I promise that this talk is going to be truly a bsides talk in the sense of introducing some thought-provoking ideas um Reflections on our industry and especially as we look into how geopolitical realities are reshaping the cyber security industry a little bit about myself I'm a Cornell graduate from 1998 I'm the founder and CEO of verse Sprite Which is an international consultancy firm based out of Atlanta Georgia focusing on you know cyber security services I'm also the founder of ultra Cloud which is a cspm tool dedicated and focus on the SNB and

startup Community uh also founded V Staffing which is a global it and cyber security uh Talent cultivator for multinational companies worldwide I'm the co-author for process for attack simulation and threat analysis it's a uh publication book that U my colleague and I Marco Morana published in 2015 and today it's one of the most formidable threat modeling methodologies that have been adopted by both governments universities and Enterprises worldwide I have been leading the Atlanta OAS chapter since 2008 I've also been one of the bsides Atlanta organizers and I'm currently the crest Vice chair for Global pen testing committee for the crest uh uh organization based out of the UK I'm a former ciso uh multip multiple

times over and a senior leader in Fortune 50 Enterprise Security Programs today's talk is going to be following really kind of uh a couple different major tenants of coverages first of all I want to begin with some condolences I'll get into that in a second uh number two we're going to talk about the status quo of where security is today and reflecting on some of the challenges of that have brought us to where we are um both things that we as professionals have shot ourselves in the foot and then looking at a little bit about the geopolitical landscape and how that is reshaping our industry into something a little bit more complicated first my sincerest

condolences for not being there in person I have been longing to be there in Goa to do this exit uh or closing ke note but unfortunately through unforeseen Visa issues I am stuck here so hopefully this raises the level for me to be able to deliver something insightful for all of you to take away and put a cherry on top of what I hope has been a very rewarding time at bsides Goa but let's also let me express my condolences to the passing of data privacy in infosec infosec are prior designation for what is now today's cyber security and in the adage of marketing professionals all over the world if something doesn't work just Rebrand it so from infosec cyber

security he we are but heartfelt condolences to both those facets that have really defined a lot of our professions you might be saying well this is a little bit dark and I wasn't really ready for this as part of a a closing ceremony uh take away but let me provide some data for you and this is just looking at the top 50 data breaches from 2004 to 2021 overall we've done a poor job industrywide in infosec uh to be data stewards of consumer data there's been a lot of businesses that have made a lot of money in receiving consumer information and leveraging that information for financial services for banking for retail for advertising etc etc etc so

17.4.55 50 data breaches there's been systemic failures on both the commercial and government side regulation compliance side alike a lot of negligence and really it's a lot of us trying to put a shine on often times security silver bullets in eye candy over actual substance so infosec thank you for the Memories um we will miss you now data privacy uh and infosec have both been attributed to a a lot of rotten security Tomatoes if you will in our ecosystem and one of my favorite case studies is the story of Norse if you Google Norris and Brian KBS I invite you to please read that whole uh publication but I was at this conference where I had the

lanyard around my neck I think it was around 2015 and you know the the part of the problem in our ecosystem is that there is a lot of eye candy that's being offered RSA is around the corner in just a week or two and and there's a lot of glal buyers Security leaders that are whed and DED and they're basically consuming these dashboards as like a form of like hard drugs um is there some level of you know thought-provoking analysis behind the data well in this case there wasn't and what's interesting with Norris is that a lot of the actual company was just a bunch of smoke and you know there was a lot of it had to do

with halfhearted tech entrepreneurs seed inv s that wanted to basically you know try to make Norse the next Splunk or the next you know major cyber security company product managers that were there for the ride marketing professionals that were all for it I still remember going to RSA seeing a lot of the Fanfare on the floor and the executive team that realizing that all this is happening are still pushing ahead listen as a CEO for a company and also a product company I understand the push for marketability but as you know really a service sector that is security we are serving businesses we are serving the needs of those that are confining their data into

our hands into our networks into our platforms we have to raise the stakes but there's a problem today that is Executives that are too focusing on the exit and not focusing on the problem that they're trying to solve so who sits back and enjoys everything well a lot of is in marketing and I don't mean to villainize marketing I have a lot of friends that are marketing um but there is some level of responsibility that we did not do in the prior days and ages and we still don't do there's a lot of tech companies out there that unfortunately are are looking for that exit right they're looking to improve um you know ebita and they're

trying to improve you know earnings per share uh for publicly traded companies and they're focusing on that exit but what this does is it introduces a major economic problem for a sustain minimal supply chain of vendor Solutions and services for companies that need our help in the space of cyber security now you know most recently rubric just went and had their IPO and they um we're going to see some some takes from the CEO half a billion dollars in marketing there's a lot of examples I can use after nearly 30 years of IIs experience but suffice to say is that we need to build Sustainable Solutions so solutions that are focused on fixing problems and not necessarily just on

exiting we'll get to all of that more in a second now on the data privacy side again this is the condolences section of my Talk data privacy is dead and it's been dead there was a moment where it resurrected but it really turned into a zombie state where it was just being puppeteered Again by nation state actors governments uh big evil corporations right evil Corp right uh uh Mr Robot referenced there data is the new currency that doesn't devalue it will never go down in value it is the new and it will be the the pervasive altcoin Bitcoin whatever you want data privacy dead and data is the currency that governments businesses hackers data uh

darket operators and data Brokers all want because there's so much can that can be done with data now if you're still thinking that I I overly pessimistic with all this well just this week just this week the New York Times unveiled that General Motors had accidentally unrolled millions of people into its OnStar Smite driver program now if you've been in the industry for a while how many times do you see things like this right where it's either you know a Mis alignment of security control to with data privacy it's a lot about consent consent management am I authorized to have this data and of course it's going to vary by country by state by International laws

but the reality is is that these major multinational comp corporations they pay these fines which are a fraction of their overall profitability on this same data they get the data to understand Behavior Uh Tendencies consumerism better so they can Market better so this is you know it might seem like just simply a single scenario for General Motors but there's plenty of examples and the reality that we all need to come to grips with is that we continue down this road collectively right as part of being a part of these organizations where we choose not to do the right thing or we don't consider the right data privacy threat model for where consent mismanagement can actually

happen now it goes well beyond well beyond data I'm not talking about how suain a business model in which users don't pay for your service this particular example is facial recognition and all this is data it's physiological Expressions now is is very interesting data especially as more and more surveillance happens you know in our homes around our homes in our schools you know in in public transportations in stadiums Etc there's there's interests for both private Enterprises to know data as it relates to physiological Expressions when they're maybe looking at a vendor that's maybe selling you know some some fanwar all this stuff is data that is predictive information for major organizations and government governments to profit for both you know seemingly

benign economic goals but also it could easily be used for other types of less altruistic goals so in the end my condolences my condolences for the loss of data privacy Collective we should all have some level of deep sorrow also for the end of infosec and now we've rebranded right we have we've drunken from the marketing Kool-Aid and rebranded you know as I look at this number of 9.7 trillion just from 2013 in all of the countries that have been lost a lot of data it's interesting to to look at this data right and see the amount of data tied to different types of countries you go to Kenya at 134,000 different records lost and then

you go somewhere to like you know United Kingdom where it's is 140 million so what is what are the interests there who are the ones that are profiting this a lot of it has to do with economic factors a lot of it also has to do with things related to uh strategic geopolitical themes which we will get into but let's talk about right now let's talk about what are the challenges and part of the challenges that we have is that we we have broken threat models we're calling things a threat without really understanding you know uh a lot of what that means and we're applying still a lot of stale security principles in this new world rubic is a different

kind of cyber security company we help our customers keep their businesses up and running even when they had a successful Cyber attack or cyber breach so that kids can go to school so that hospitals can still operate so that when you swipe credit card money comes out even if the business is impacted that is different from the traditional cyber security that is focused on stopping attacks we assume that attacks will happen you can't stop the Unstoppable how do you continue to operate the business even when you have successful attacks and breach so you're now I hope everyone can could hear that but if you you weren't able to hear the audio for various reasons um basically the CEO at

rubri recently had you know a pretty important week uh they came out with their uh initial public offering this week and um you know that there's a lot of things that stand out the the the the aspect that you know he mentioned that we are a different cyber security company which is common for most cyber security companies to say why well obviously he has a job to do as a CEO now he has potentially a lot of investors institutional investors private investors so he has to build this momentum so that's understandable this is definitely not a ding on similar CEOs that have to do this right but peeling back what was said you know there's a lot of inconsistencies that

are advertised in the threat model where you know saying that yes there is preventative failures and we do recognize that we are going to have some get by that could actually compromise uh companies data and through extortion but the the the the promise the Silver Bullet of saying that we help uh schools to be able to keep going to school please someone provide me the Precedence of a Litany of schools that have been you know inable to continue operations because of ransomware right it's not as much as the financial sector it's definitely not as much as the healthc care sector now of course he's in the moment he's on CNBC live he's in the hot

seat but we collectively right have to be able to evangelize what is the accurate threat model for what is going on other things that are in the water are systemic and how we consider to train ourselves right how we consider to be Adept at our jobs cyber security training certifications you know being touted as the means and ways to be able to get into the industry and and and to be successful and often times that's a misnomer because there's truly an expectation by a lot of students that begin to do this take the certifications and are like show me the money I know I am now equal to someone that's been doing this for 5 10 15 years and there's

a lot of unrealistic things especially as it relates to threat models that are distorting our real Focus again my condolences but we need to change so risk is completely Fubar right F beyond all recognition and it's interesting that you know over the past well really 27 years of I but really the past 15 or 18 years with squarely within cyber security we don't get risk we we talk about risk like CVSs and cwss and and epss and and we want someone else to handle that so we're like no you want me to understand how my security finding relates to your business product I don't want to touch that but let me tell you about things that are comfortable and

this is the problem is that we we're just talking amongst ourselves right we have these conferences you and maybe a new opportunity I still remember you know vers Sprite being you know one of the above and beyond uh supporters in Las Vegas for the original uh uh bsid in Las Vegas the the kind of the the Grassroots the the counterculture ideologies that defines bides we need to change the game we need to go out to these conferences what happens if we do training at these conferences but just for non security people but we do it for free and yes the vendors is sponsored but we need to change something because we get together and we just Talk Amongst

ourselves we need to be able to also come to the recognition that risk is not going to come from a dashboard a tool vendor or a revered CVSs cord this is if you've worked with miter phenomenal organization largely supported by DHS funding they don't know your business they don't know your customers's business how can we TR simply just just throw over the fence you know technical security related risk findings that are non-contextual to our audiences so we need to do better um you know extortion is a great example often times we need to understand the threat model for extortion and ransomware as an attack Vector for realizing the goal of of of extortion as a threat you wouldn't for

example extort a PR marketing firm if we were all cyber criminals would you because there's no urgency in the business model but transportation Health Care shipping relies manufacturing it relies on that let's get let's move stuff out and if you pigeon hole that then you're hurting somebody right and this is where the business model of extortion from the Cyber criminal sets makes sense we need to understand that as cyber cyber Security Professionals is coming to grips with the idea that there will be attack a aign kind of failure when it comes to attack security it is actually sign of a strength so I stopped it there because I don't know again is coming to grips with

the idea that the the audio is working but this particular segment I love the question by the CNBC commentator he had a sincere you know look on his face all right so you said attacks are going to happen does this mean that we failed in cyber security and then the response was that you know no this is a sign of strength we're moving beyond stopping now we're looking to response you can see my concern about the marketing spin that we have as an industry and again this is not villainizing anybody at the man is the CEO for a company that now has public investors institutional investors right it's shaping the future of his company he has to be able to make defensive

comments this is universal so please do not take this as like a a ding to rubric at all or the executive team whatsoever but as we consume this sort of we recognize the the little bit of the marketing that's needed right for the public but we need to be able to not Injustice as practitioners and say yeah let's move away from prevention and let's focus on response you the fact is we need to improve prevention we need to leverage automation for prevention we need to improve contextualization for prevention and oftentimes we're stuck in our own security Fields you know as an industry looking at you know the macro issues status quo today we have all these

things that I don't personally understand these self-gratifying siso award ceremonies that are often times paid to play by the way you pay or you have a vendor sponsor you get an award what are we celebrating if you look at all the data breaches if you look at the commentary from a CNBC analyst who's not in the space and saying have we failed what are we celebrating we're rebanding everything is what we're doing ABC remember ABC application security you know uh we have Cloud security posture management now we have application security posture management you know you you you have zero trust you had principles of zero trust honestly going back 15 20 years ago with security

architecture right just poor execution we're Reb branding everything and this should be a concern whether you're a student whether you're a practitioner whether you're a vendor whether you're an entrepreneur we're celebrating the wrong things we're celebrating certificates and award ceremonies and we're taking our eye off the ball we're we're celebrating and focusing on valuation models multiples on our businesses so we can cash out but this is going to have a detrimental effect to the ecosystem that is supposed to protect Health Care think about your own personal family members right that are you know innocently confiding on technology and services right we know better that sometimes there's a lot of things that aren't really up to Snuff up

to par bug Bounty hypocrisies let me let me dive on this for a second before and I used to come from a banking sector when you would do a pentest for a banking financial institution you wanted to know who's doing the pentest have they been background checked what is their prior you know um experience Buck Brown hypocrisies funded Again by Venture Capital really circumvent all that it's opening up the kimono for hey let's have a global uh crowdsourcing platform that's going to lower the unit cost of exploitation and we don't know really who's who's knocking on the door right there's people that are evaluating the submissions for what is deemed a flaw and then often times the the the true

passionate researchers are getting screwed in those deals a lot of the the true positives are not being paid out right you're pissing off researchers generally not a good idea and on top of that you really don't know who you're allowing to basically you know do things onto your product or application or network and what's to say that someone finds something that's pretty detrimental are they get to really cash out for a $5,000 payout or are opportunities on the black market to be able to get that to be a $110,000 payout or a $50,000 payout things don't make sense and honestly a lot of the things that we're doing today is you know let's talk about

attacks and sbom you know we are often times like we the attack framework is a great post exploitation attack library for your threat model but not getting as much attention is the software bill of materials especially for compan that are writing software why because it's easier to take attack and put it into tools and then have the dashboard than it is to inventory what are we running and with the implications of that embedded software into the downstream effects into our application architecture so this is a challenge you didn't get this remark on on the on the video because I didn't see it through but one of the questions later from a female commentator was where are attacks

coming from he begins with with nation states and goes all the way down to teenagers in basements that are flipping their finger to big government and big Enterprises I'm sure they're wearing a hoodie as well so this is where we're at this is where we're at today we need to depart from this status quo and we lost our Hacker Way and you know this is you know well I think things will get worse before they get better this is a new seconde Round Table of venture capital and cyber security that's taking place and a lot of these rhetorical questions is like are we funding AI applications or AI infrastructure if applications how do we make sure that the product has access to

truly unique and proprietary data these are rhetorical questions right we need to be able to address the full stack of how AI can reasonably be adopted and matured at different times it's been an interesting week in theet Market um financial markets a lot of Tech players forget cyber security have had their uh Financial you know reportings and even Tesla has said there's been some challenges in AI rollouts now speaking of AI rollouts I promised you what does this have to do with geopolitical climate changes you know we are we are definitely having a climate change within cyber security that's going to be impacted by Tech and security really discrepancies in availability of who can really build out uh generative

AI the Giants of tech like Microsoft Tesla Amazon will continue to be able to have the means and ways but what this should trigger in everyone's mind is like what about those countries that can't afford this Tech what about the companies that don't have this level of competitive you know budget to buy some of this Tech right now in the market everyone will advertise some form of AI adoption but only the elite will dominate and so we're going to see AI to be truly transformative in reshaping different Industries primarily in where there's a lot of labor pools in the blue Market segment but also in marketing services in software development services where you have the opportunities for AI to

really drive the full stack of secure software devel life cycle there's a tsunami of work displacement ahead and if you're in this industry if you're just coming in or if you're a veteran and you you don't want to run to the hills dig down because it's going to be a game Cher over the next couple of months we're going to see a lot of changes are going to displace Tech and the Richer countries are going to find more use cases for it poor countries are just simply going to be consuming what's being built now there's a great opportunity for the East I found the past three weeks traveling all throughout APAC Asia Pacific and it's

interesting and it's a sharp contrast you see on the west a lot of societal really Decay there's a lot of uh faction groups at each other's throats um this is going to lead to a lot of things that affects supply chain supply labor pools what's being taught um sustainable you know uh technology and sustain aable you know uh pools of of of talented labor the East doesn't have the same perils right now and it has an opportunity truly to take the discipline that it has in its uh cultural norms to be able to thrive to a new level where AI can take economies and entrepreneurs from the East to a totally different level but an

a global aiis equilibrium is definitely ahead look at the chart at the top right right so Asia Pacific you see the jump between 2023 and 2028 signifying one of the largest jumps outside of still North America where you see a big jump still between 2023 and 2028 where you have Market consolidation you have you know focus on um cyber security you know Market development but definitely in the East there's a lot of opportunity but we have to do it right so contributing factor is that hopefully the e can learn is to not over to do the right type of marketing right I say marketing is evil is kind of a uh kind of a a a tongue and

cheek but it's the right type of Market you know what sells um is true authenticity you know verse Sprite the company that I founded literally means true spirited we have like two people in our sales team you do good work you find success and if you're an entrepreneur and you have quality work quality product it's going to Market Tesla doesn't do a lot of advertising in the United States GMC does um Venture Capital necessitates returns so if if you're an entrepreneur and you're in the space the problem we have with uh venture capital is that it's reshaping perspective and goals where entrepreneurs want to focus too much on the exit versus actually being a GameChanger and we need more game

changing debt sheets Capital calls calls what this does is it takes companies like lace work and whiz and and and um aquo and the cspm market as an example which is a familiar space for us to be able to have to offer subscription fees that are unobtainable for midcap and snbs and it's elevating the cost of cyber security for big Enterprises so it's meanwhile right we have influencers and marketing companies that are altering the Focus right they're glorifying a lot of whoever has the most marketing budget to support these you know sis Awards or these very you know self- patting on the back ceremonies it's just adding to you know the overall noise and this is affecting really what

as a as Global consumer markets what they're paying attention to right gardeners says go here right and so we have companies that are secur security startups that are put into a magic quadrant and because people don't want to do the necessary analysis they go with what a marketing entity says in the study says and people don't realize that these these services are pay to play Whoever has the the budget um is going to be able to be at the Forefront of what is deemed to be a effective in cyber security solutioning Venture exits lead to disruption reliable sustainable security processes I can't say that enough what this means is that you have companies you know that are being backed

by you know Israeli based startups or you know Boston based venture capitalist or private equity in the Bay Area and it's it's creating a need for everything to focus at higher dollar subscription models which makes the tech to be unobtainable even for Enterprises that are in sectors that are not as mature like manufacturing like higher education meanwhile we have separate problems in terms at an individual level right the certification business is absolutely booming certifications for everything training for everything but it doesn't funnel into Milestone measurement right you get a certification and a lot of people that are highly certified are unemployed and so what's going to happen with the AI adoption is that a lot of

the jobs that they're looking to get will actually be displaced through levels of automation this is going to have huge implications and create a disequilibrium across the global market labor shortages will happen because the talent that we need is not there the educational system in the west is getting worse and a lot of people can't even afford to get in there so your labor pools go down further which means that Supply goes down and then the cost of finding the right people goes way up which means that the products and fees have to go up as

well did you know Canada might be the first to introduce Universal basic income judging by how fast AI is developing other countries will need to move quickly from discussing policy to legislating why because everywhere you look AI is threatening jobs cloners replacing Custer Service agents chatu BT is replacing copywriters translators and more and Devon AI is replacing software programmers if that's not enough agility Robotics and figure are replacing humans in warehouses and factories you're doing it because you're trying to affect the bottom line uh and to fill labor gaps and everything else there so that's where it's going to start and that right there is an argument for why governments and people need to start thinking about

this now no that last comment there and this is really the geopolitical aspect right is that we're on the precipice of refining AI this past week on Wall Street a lot of the major Tech players recognize some of the challenges and timelines to Rolling Out AI but efficiency will continue to happen Hardware will improve here you have you know Greg Brockman talking about the first Nvidia dgx h200 in the world being opened up like a Christmas present at the open AI you have the Tesla's Dojo cluster being unveiled right and then you have the concerns of what does this mean for labor pools what does this mean for economies what does this mean after the

fact when there is labor displacements and this notion that's being spoken about in Canada about a universal income right where it's just this recognition that listen there's going to be a huge displacement of Labor and that labor cannot in a timely fashion go into Alternative forms of a different labor market a different pool and so there's this aspect of universal income with that it's going to be disension maybe political turmoil um pressures on social welfare services that need to happen right and the other aspect that's super important if there is an introduction of a universal income level that means that the government now has an opportunity to be able to almost like you know ear tag

all the citizens that need to have that Universal income and they need to abide by certain different types of conditions so the Big Brother phenomena is very much close at hand this is a new dawn for cyber security the implications of just doing what we do doing about dashboarding and and security silver bullets and focusing on exit plans you know there's there's more serious things at stake and if you're passionate about what you do Mission you to be able to think more seriously about how you can contribute to be able to influence a new dawn in cyber security so I'll end with this one last slide one of the things you know that I have in terms of

recommendations and there's three really recommendation tidbits I have one is for the entrepreneur and I say this to all my employees at versprite passion over money if you're passionate about something everything else will follow success you know financial gain and even if it doesn't even if it doesn't the road of failing with passion is far better than the road of compromising security snake oil for dollars because at the end of the day you have to go to sleep at night second have a Clear Vision if you're an entrepreneur sitting in the audience today have a Clear Vision for what you are trying to build and understand that failure is Absolut absolutely the best teacher I've learned only from failures

and I love to fail I love to fail because it makes me more resilient if I fail I will not fail in the same way ever again so be be focused on those things now for the practitioner student mindset forever if you have the word expert or Rockstar awarded to you or in your you know profile please take it out that this is a new dawn in cyber security no doesn't matter how long the tenure doesn't matter all the accolades and accomplishments no one is an expert student mindset number two develop a niche focus on your Niche are you focusing on maybe securing the cicd pipeline a lot of people aren't really thinking about that so may that be your

focus what about is it in more of thread Intel is it in ENT Gathering find a niche and be be a phenomenal uh practitioner still a student in that Niche be a self-learner this is an industry where you have to always continuously be learning learn from others learn about what sometimes even ignorant sayings teaches us you know the temperature of what different practitioners should not be saying or what problems we have that we've kind of covered in this presentation automation is going to be a constant for the future don't shy away from it and whatever you focus your Niche on be in interested in automation be interested in efficiency because I guarantee you right now every industry

is focusing on automation marketing Health Care uh grosser operations Inventory management it does not matter automation is here to stay develop a road map for where you want to be as a practitioner and understand the threat model for what you're evaluating if you're doing application security if you're doing uh organizational Enterprise security do you understand and have you built a threat model that is fed from threats that are happening based upon the attack surface the industry the data flows of your model this is super important now for the Enterprises develop your threat model in a similar fashion and reasoning let your threat model Encompass your security decisioning often times we run Enterprises based upon you know a frame

work and as great as the international standards organization is or the collaboration that exists from the National Institute of Standards and other forums they don't know your business they don't know your attack surface they don't know your impact levels build your own threat model my threat model is not your threat model and that's super important Credence to follow make sure that your security ecosystems that you're building are truly an ecosystem and not security Islands often times we buy and procure services and Technology to solve problems I need to solve a problem for endpoint protection bu Implement done you're not done because you haven't considered you know data flows from that countermeasure have you ensured good

data Telemetry have you ensured great security automation that happens upon detection right build an ecosystem build an ecosystem and lastly develop a road map and understand your own threat model the C the former CEO of binance CZ you know always have this Mantra of do your own research and I think that's very important that now today where there's misinformation campaigns there's a lot of propaganda we have to build we have to do our own research and hopefully today's events and overall the training that you get from besides Goa have allowed you to have some new ideas on what to research what to continue onward so that you can build um an effective career an effective product

and a more resilient Enterprise thank you so much for your attention and your time my regrets for not being there in person I hope to visit the beautiful city of Goa very soon another time if you do wish to follow up with me please check out some some of my social media contact information there my email addresses and and whatnot but um hope to see you all next time take care