The Future of Data Privacy and Information Security with Steve Henn, Esq.


Steve Henn, Paul Starrett


Paul Starrett: 0:05
Hello, and welcome to another PrivacyLabs podcast. Remember, PrivacyLab is one word and we specialize in bringing together all the different aspects of your compliance quest. And this podcast will be very onpoint. With regard to that, I am very honored to have Steve Henn that’s HENN with me here today who brings a very unique perspective to this. And I’ll note that the two of us have a fair amount of background in common in addition to having worked together, we are both attorneys, and we both have an extensive background in technology. A lot of that is in artificial intelligence, which is a very special skill set, if I say so myself. Our our goal here today in this podcast is to kind of look at how do we herd the cats of compliance? Really, what we’re going to discuss today, specifically is privacy and security, and how those come together and how they’re really how much overlap there is. But there’s, we’re also going to discuss how does that kind of stretch out into other areas? And how do we get all that together into one place and bringing it into a coherent and holistic ecosystem? I think that I’ll give Steve a brief introduction here. Again, I had the great pleasure of working with Steve and my last full time job. He actually worked for him, he was the chief executive officer of an international publicly traded company, we dealt with data management in the legal profession. And I was his chief risk officer and general counsel eventually. And I learned a lot from him and just had the honor of several years of us kind of getting to know each other and so on. I think with that said, Steve, why don’t you introduce yourself and your, your role and your companies? And then we’ll jump right into the topics.

Steve Henn: 1:52
Sure. Thanks a lot, Paul. And thanks for having me. I really appreciate it. It’s always good to get together with you, regardless of the circumstances. And I think this podcast is just a terrific idea and I’m very happy you invited me on a little bit of my background, I’ve been in the legal technology area for over 20 years. As you mentioned, I’ve run a number of companies in the in the area, my specialty is in the AI analytics RPA broadly construed applied to business problems, whether you know, they are you know, large business systems or you know, minor difficulties like that, that companies have. But it always seems to revolve around the use manipulation understanding of data. Right now, I am Chief Revenue Officer of a couple of sister companies primarily Extend Resources, Extent Resources is a services company focused on legal process, as well as information security. And then there is also Orrios. Orrios is a technology company. And Orrios provides a ISMS and Information Security Management System, software as a service to help companies manage their infosec program. The way I liken it is that you know what an accounting system is to a finance department, our product on track is for information security. So it doesn’t exactly. It doesn’t necessarily do things like Endpoint Protection, what it does is it manages the complete process from soup to nuts, to allow you to, to, to allow you to make sure that whatever framework or standard that you’re complying to, or whatever your set of criterias are, are properly followed. But again, thank you for having me looking forward to the conversation.

Paul Starrett: 3:58
Great. And just just to tail off that there’s a synergy between those two companies.

Steve Henn: 4:03
Yes, absolutely. Absolutely. And we can talk a little bit about that, you know, we’ve we’ve found there are circumstances where companies have adequate internal resources, but are looking at a, you know, looking at a way to use technology to force multiply. We also found that there are companies of course, that, you know, where information security as a function is, is sort of handed off to the IT area, and as smart as those men and women are, they A are usually overworked and understaffed and B they don’t necessarily have the information security expertise. And, you know, so in a company like Extend can really be sort of an extension of their informatioN security capabilities and staff.

Paul Starrett: 4:57
Right and very briefly before jumping the questions. I think one key note there that we’ll be expanding on here is that there are peripheral skill sets that need to be brought into the fray, if you will, to help to bring a coherence to raise that term. You’ll hear it again here. Great. Well, thank you. I just thought that was an important aspect of those two companies in the fact that you’re in charge of both from the revenue standpoint. So getting back to the main issue here of herding the cats is really turn that works well, laws, data, controls, enterprises have their own priorities and risks. And certainly, it’s an obvious statement that people want to be holistic, they want to be they want to address interconnection. But with that said, Steve, in your background, and what your you and your companies are seeing, what are you seeing as sort of the biggest challenges right now with regard to information security and privacy, and this quest to be having a holistic, kind of coherent, well stitched together trusted environment?

Steve Henn: 5:59
Well, you know, I think the biggest challenge is stemming from, you know, arise from the environment we’re at, right, we have we have, we are in a highly aggressive cyber war right now. And it used to be that, you know, they would focus on the large the the hackers would focus on the large company, companies. And now they’re just simply not doing that. It’s extensive, whether you are enterprise, large company, middle market, SMB, you’re a target. And to a certain extent that they realize now that the smaller the enterprise, a lot of times the less resources that that enterprise has to apply to information security so that they’re, they’re going after them as a vehicle to get to potentially larger companies. So I think that so that’s where the environment is. Now, I will say that that one of the things I think is really interesting, as we start to transform that the industry is why do we continue to make a distinction between information security and data privacy, they’re really two sides of the same coin. And, and I think that if, you know, years ago, maybe the Venn diagram wasn’t completely overlapping. But I don’t see how there’s no that there how there’s any difference anymore between the two. And what I mean by that is, is if you think about the two of them, right information security, and at the risk of being tautogical, you’re really looking at ways to secure your data information within the company. So you’re thinking of that as a corporate function to secure your information stores. data privacy actually has a little have a couple of different contexts. One is if you’re if you’re within the corporation, like a data privacy officer, you tend to look at that your function tends to be what are you? How are you complying with data privacy laws. So Information Security tends to be technology focused, data privacy within the corporation tends to be run by a lawyer or legal focus. data privacy, if you’re external from the firm, they’ll mean something completely different, right? It’s from an individual’s perspective, the customer or the individual has, has provided data that they want to make sure is obviously secure and used in in a correct way. Now, the reason I asked reason I say that the we really can’t make distinctions anymore, is because I think we need I think, as part of a good defense against or within this environment that we find ourselves, we have to simplify. And so we need to stop making granular distinctions on the difference between confidential or sensitive or any sort of realm of range of data. It’s sort of either binary, right, it’s binary, either I’m protect it, or you don’t feel that you need to protect that securely. But I don’t think that there’s can be really any granularity in terms of the way that you look at that. Second thing is, you can’t make a distinction anymore between looking at your data and the data of your customers and vendors. Now, let me put it straight. Some companies really, in because of regulations or because of you know, internal culture, look at securing customer data, as the highest priority, and maybe their own data is different. Going back to my point, I think we need to simplify, don’t make any distinctions. Because if you start to make distinctions, you’re actually introducing weaknesses and confusion and complexity to the process, which is detrimental to really achieving the mission of securing the data that you are in possession of yours or someone else’s.

Paul Starrett: 9:46
I couldn’t agree more. I think that as they say, KISS keep it simple, stupid, right? It’s, it’s, it does it gives you a simple message to the people who are on the ground who are part of the daily operations. to just have a very straightforward, basic mantra, if you will. And as we were talking and developing this together prior to the podcast, you said something I think that I’m going to repeat often is that is if you are secure, you are compliant. I thought that was a great way of putting this, I think really helps to, to put into simple words, but you just said,

Steve Henn: 10:24
Right. Well, and again, I mean, I think that this is a broad subject, right, the recent T Mobile hack, you know, I was having a conversation on the loss of the social security numbers for T Mobile, with someone who’s not in the industry. And they looked at me and said, why does T Mobile have such security numbers?

Paul Starrett: 10:41
That’s a good point.

Steve Henn: 10:43
Yeah. And and there may be an absolute, phenomenal, legitimate business reason that was not apparent to someone who’s not in the industry. But But again, I think that and then, of course, the second question is, if they have so security numbers, and it’s not, you know, why weren’t they secure? Why weren’t they encrypted? Why wasn’t that data part of, you know, even if they weren’t using on a day to day basis, why wasn’t an encrypted in a in a in a, you know, data vault, like visi vault, or something like that, where even if they were, even if it was breached, the data that the hackers would have got would be encrypted. So, you know, why are they using it? And why were they, why was it handled in the way that it was? You, you know, from my perspective, every organization needs to look at, look at all the data within their stores and say, we’re going to treat this all the same. And we’re going to treat this all as a as a higher priority.

Paul Starrett: 11:37
Yes, and I think that I’m going to nuance i think that’s that’s kind of jumps out at me, is that you with privacy laws, you’re only supposed to use information that you need, if you don’t get rid of it. And I think the the, the approach to privacy and information security is in part, what you do keep, because you know, we’ve heard this term redundant, Oh, my gosh, obsolete or trivial data rot data, they call it is a huge risk. And that’s something that you want to address from from both angles. I think one thing that you that you mentioned, during our discussion is the cost of doing this, the technology really kind of comes in and becomes your, you know, your white horse, you’re your knight in shining armor. The cost? You had an example, for example of a your platform, and, and how that stands out, because really, technology solutions are far more cost efficient, and really go directly to the bottom line. I think you had an example that I think is very helpful.

Steve Henn: 12:49
Well, yeah, it did. And I, by the way, your point about ROT is spot on, right. I mean, I think that that is one of the things and we could talk about how companies can address some of the areas to get themselves, you know, to be seen as a trusted custodian of data. But, but but the point about cost is, I think it’s very important, because cost tends to be one of those, those items, and obviously, we’re in in with unlimited resources, cost doesn’t matter. But cost is and a obstacle, a lot of times have perceived perception of cost as an obstacle for companies to really start to get compliant and, and get their information security house in order. But the example I used is, is, you know, you can use a platform as a force multiplier technology. And, you know, there are a range of different platforms out there. But for honestly, the cost of for half the cost, I should say, of a minimum wage employee, you can have a platform that takes you through the process, manages it all for you and allows your IT staff to become information security experts. And I think that’s very, very important. For people to understand this is not something that necessarily costs hundreds of 1000s of dollars, you can get started in a reasonable way with reasonable cost. If you don’t have the resources, obviously, you can outsource expertise, they can call you they can call me that we can work together. I think that that my only my only point about outsourcing is I would my suggestion would be look for the consultants that want to teach you to fish, not give the fish you the right. Yeah, it’s important that if you are buying services, that ultimately it’s a learning experience for you. So you can start internalizing it for a variety of different reasons, not the least of which is ultimately you’re responsible. If something does happen. You can point the finger all you want to the consultants but the fact of matter is it’s your tail on the line. So I think it’s very, very important to to view the the outsource consulting expertise as a way to bring you and your staff up to speed on the issues that are important.

Paul Starrett: 15:06
Yes. And again, I couldn’t agree more. I think that the training and having a culture of compliance, which you hear very often allows the people that are internal because they’re the ones that know that the specifics and the details of what they do. And often, that’s where the problems are in the details. So by educating them, allowing them to ingest it and making an organic thought process, I think is, is really key. And I think the example you gave was that, you know, if a person is making minimum wage right now, at the time of this recording is about $15 an hour, that could change. But that’s about $30,000 a year. And if you have a platform that’s available, which say, for example, a few $1,000 a month, you are force multiplayer, I think is a great way to state that, because you know, it’s not a fun spend compliance has always considered a necessary evil, although it could be spun into a competitive advantage and the firm, the enterprise, whatever it can then, you know, advertise that they are they take your sensitive information very seriously, and that you are a trusted entity that is becoming a something that can be turned around. So I think I think that kind of doesn’t that that does that not sort of get through, I think the basics that we had there. I what I would like to do, Steve is I give all of the people who I interview, an opportunity to mention something that we have uncovered some one or two things that you think and I know I’m hitting you off the top of my head, I’m catching you off guard here, but maybe a few things that you’d like to leave with our audience before we round out here that you think is important for our audience to know.

Steve Henn: 16:44
Well, sure, what I’ll do is I’ll leave you with a with sort of four questions. I think, as you start to think about your information, security posture, your data privacy position, what you need to do, they’re really, really four questions that you want to answer even before you call up. You know, guys like you guys like me, because we’re going to have those questions for you no matter what, and you might as well start to think about it. But going quickly through I think one is understand what the regulatory environment you’re operating in, right? If you’re a healthcare company, you know, you’re operating in a few different environments, HIPAA and other in other regulations, you know, you have FERPA for for education, you’re if you’re a defense contractor, you’re DFARS, you’re operating under a un regulatory environment, that’s important to understand and the fact that matters, you’re probably under multiple environment, regulatory environment. So I think that’s really, really important getting clarity on what, what you need to, to what standards or regulations you need to meet. The second thing, I think you really need to think about what data that you need to protect, right? Ours and others, right, so our own data we protect, but we also are custodians for data, that is, you know, given to us by our client, by our clients, and we need to protect that, as well. I would note that client data would be could be direct data data that’s provided by the client to us. But it also includes derivative data, right? If you’re a consultant, and you’re producing reports, or information off of that data, that data should be considered as well to. Also, if you’re a retailer consumer facing there’s a fair, fair chance that the direct data that you have on your clients is less than half maybe less than a third of the actual data you do because you there, you know, you can you can get and matched data from outside sources. How do you handle that derivative data that’s outside the cluster of the mandate, I think is very, very important. If you’re making a distinction, I think you’re you’re backing yourself into a corner. So that’s number two, what’s the data that you need to protect? Obviously, where is the data, internal stores, external stores, those sorts of things. The data comes in multiple forms. We always talk about digital, that’s the world we operate in, Paul. Yeah. But you know, people produce reports, they print out documents, you know, those sorts of things. So physical copies of data are important to secure as well as your employees, right? Your employees have data rummaging around in their head. They may not have the memorized security numbers, but they have trade secrets, other sort of sensitive information, making sure that they are cognizant of the environments that they’re working in and not to disclose data. You know, you’re a lawyer, you’ll get the story I’ll never forget. I was on a train going into New York and there were two attorneys sitting in front of me and they were talking about a merger and they did not disclose the name, but they disclosed in information enough, where within five minutes and a Google search, I could tell who was the acquirer and who was the acquiring acquired company. It wasn’t that hard yet, right? So being conscious about that, right, that human data that leaked out into that train, and there have been, by the way, a number of very high profile incidents I go, I’m in the Northeast Corridor, there have been a number of high profile incidents where data is, is leaked out, because people are yapping on the phone. So, you know, digital, physical, human sources, so where’s your data is important. And the last one I would know, and this is the hardest is think about how your data moves through your organization. So I say that’s in flow, and in some cases, how it moves and where it stops, or slows down, because it’s either copied or manipulated, or changed or etc. So that’s the stasis part about it. Knowing that is in critically important for you to ultimately, control and, and maintain high level of information security, because if you wait five minutes, your data profile will change data is highly dynamic, both in what it is, where it is, how it moves. So you know, you can’t do this real time. But you can really start to understand key flows, because there may be a process that you have, that you watch, you examine the flow of the data, and you realize that there is a huge vulnerability that with an individual or with something like that, that they need, that companies need to understand. Those are the four questions before even you call, you know, people like us, companies should really start to think about, and it’s intimidating. I know, there’s a lot of things that that you may hear that say, oh, wow, this is, this is a pretty big project. But you know, the way you eat an elephant is one bite at a time guarding right now. To to, to move forward and understand this, this is going to help you get executive buy in as well, too, because it’s going to show that you know, your stuff, you know, and can scope the the the challenge of the project of getting, you know, highly secure.

Paul Starrett: 22:15
Yes. And I think that’s oftentimes with regulators, half the battle is showing that you’re trying, you know, they know, it’s, it’s, you’re not perfect. And I do think that going back to your earlier point about simplicity, if you’re too worried about things, as you indicated, the motion of the data is a moving target. And the more simple this more simplified, you are about securing your data, the less I think you have to worry about the movement, because you just know that it’s everything is just being secured. You’re not getting too caught up in the nuances and kalidoscope is a great point. Yes. So great. Well, thank you for that I would, you know checked, I tick off those boxes, those four points as well, myself, I we could probably go on for another hour here, Steve on any of these topics. But I think we’ve you’ve done a fantastic job of giving us some some many of your insights and your your background. And so thank you, what if people want to get in touch with you? What would be the best way to do that?

Steve Henn: 23:17
Oh, sure, thanks. I think the best way would be you know, via email, the email, and if you attach it in the notes to this, it’s fine. But it’s Feel free to, you know, shoot me an email. I can give you my phone number to provide out there as well, too if people want it as well. But feel free even if you just want to chat about it, more than happy to talk about it with any of the listeners. And don’t hesitate to reach out and we can talk about how to help you make you secure.

Paul Starrett: 23:58
Very good. And just to give you and your companies a shout out. I think many of the things you’ve mentioned, are made much more comfortable with your two companies or Orrios and Extend Resources. That does it, folks. I think there’s a good chance that Steve and I will have another follow on podcast but again, excuse me. Thank you, Steve. I just did a quick word about PrivacyLabs, we bring together the the compliance and the technology, kind of what we’ve been talking about. And that’s our sort of our purpose for being. Feel free to reach out to us. Of course, you’re already on our website if you’re hearing the podcast so you can contact us through those. Those means. Thank you again, Steve was a real pleasure. And thank you audience for listening. And I look forward to having you back.

Steve Henn: 24:41
Great. Thanks. Thanks for having me, Paul.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email